/ View Ticket
Ticket UUID: 78588b938a11f50207db20e0516e2a0a9a31314a
Title: Virtual Table Sync frees pVtab->zErrMsg without zeroing
Status: Fixed Type: Code_Defect
Severity: Minor Priority: Immediate
Subsystem: Unknown Resolution: Fixed
Last Modified: 2013-07-17 11:54:50
Version Found In: 3.7.17
User Comments:
nobody added on 2013-07-17 04:15:54:

In the src/vtab.c and the sqlite3VtabSync function, pVtab->zErrMsg is freed without then being zeroed. This leads to a double-free error condition when pVtab->zErrMsg is later examined, found non-zero and freed (again).

The simplest way to reproduce the problem is to create a virtual table implementation that implements xSync. In xSync, set pVtab->zErrMsg to an allocated string and return an error result. At the next callback opportunity (mine was in xRollback), pVtab->zErrMsg will still be set, when it should be zero.