| Ticket Hash: | 78588b938a11f50207db20e0516e2a0a9a31314a | ||
| Title: | Virtual Table Sync frees pVtab->zErrMsg without zeroing | ||
| Status: | Fixed | Type: | Code_Defect |
| Severity: | Minor | Priority: | Immediate |
| Subsystem: | Unknown | Resolution: | Fixed |
| Last Modified: |
2013-07-17 11:54:50 11.96 years ago |
Created: |
2013-07-17 04:15:54 11.96 years ago |
| Version Found In: | 3.7.17 | ||
| User Comments: | ||||
nobody added on 2013-07-17 04:15:54:
(text/html)
<p> In the <code>src/vtab.c</code> and the <code>sqlite3VtabSync</code> function, <code>pVtab->zErrMsg</code> is freed without then being zeroed. This leads to a double-free error condition when <code>pVtab->zErrMsg</code> is later examined, found non-zero and freed (again). </p> <p> The simplest way to reproduce the problem is to create a virtual table implementation that implements <code>xSync</code>. In <code>xSync</code>, set <code>pVtab->zErrMsg</code> to an allocated string and return an error result. At the next callback opportunity (mine was in <code>xRollback</code>), <code>pVtab->zErrMsg</code> will still be set, when it should be zero. </p> | ||||