Fix bad-free in ensure_vector_match: aCleanup(a) → aCleanup(*a)

asg017 · claude · asg017 · commit 4ce1ef3c6fda · 2026-03-02T20:50:54.000-08:00
When the second vector argument fails to parse, the cleanup of the first vector was called with the double-pointer 'a' instead of '*a'. When the first vector was parsed from JSON text (cleanup = sqlite3_free), this called sqlite3_free on a stack address, causing a crash. Found by the vec-mismatch fuzz target. Shout out to @renatgalimov in #257 for finding the original bug! Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/sqlite-vec.c b/sqlite-vec.c
@@ -1028,7 +1028,7 @@ int ensure_vector_match(sqlite3_value *aValue, sqlite3_value *bValue, void **a,
   if (rc != SQLITE_OK) {
     *outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);
     sqlite3_free(error);
-    aCleanup(a);
+    aCleanup(*a);
     return SQLITE_ERROR;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1028,7 +1028,7 @@ int ensure_vector_match(sqlite3_value aValue, sqlite3_value bValue, void **a,`
`1028`	`1028`	`if (rc != SQLITE_OK) {`
`1029`	`1029`	`*outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);`
`1030`	`1030`	`sqlite3_free(error);`
`1031`		`- aCleanup(a);`
	`1031`	`+ aCleanup(*a);`
`1032`	`1032`	`return SQLITE_ERROR;`
`1033`	`1033`	`}`
`1034`	`1034`