Pass correct pointer to cleanup in ensure_vector_match error path

renatgalimov · renatgalimov · commit 623661ed210a · 2026-01-31T19:04:21.000+03:00
When the second vector fails to parse in ensure_vector_match(), the cleanup function for the first vector was called with 'a' (void**) instead of '*a' (void*). This caused sqlite3_free to be called with a stack address instead of the heap-allocated vector, resulting in a crash:

    malloc: Non-aligned pointer being freed
    Fatal error 6: Aborted

The fix dereferences the pointer correctly, matching how cleanup is
done in other error paths.

This fix has a unit test that will crash without the patch.
diff --git a/sqlite-vec.c b/sqlite-vec.c
@@ -1137,7 +1137,7 @@ int ensure_vector_match(sqlite3_value *aValue, sqlite3_value *bValue, void **a,
   if (rc != SQLITE_OK) {
     *outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);
     sqlite3_free(error);
-    aCleanup(a);
+    aCleanup(*a);
     return SQLITE_ERROR;
   }
 
diff --git a/tests/test-loadable.py b/tests/test-loadable.py
@@ -443,6 +443,32 @@ def check(a, b, dtype=np.float32):
         abs_tol=1e-6
     )
 
+def test_ensure_vector_match_cleanup_on_second_vector_error():
+    """
+    Test that ensure_vector_match properly cleans up the first vector
+    when the second vector fails to parse.
+
+    This tests the fix for a bug where aCleanup(a) was called instead of
+    aCleanup(*a), passing the wrong pointer to the cleanup function.
+
+    The bug only manifests when the first vector is parsed from JSON/TEXT
+    (which uses sqlite3_free as cleanup) rather than BLOB (which uses noop).
+    """
+    # Valid first vector as JSON text - this causes memory allocation
+    # and sets cleanup to sqlite3_free
+    valid_vector_json = "[1.0, 2.0, 3.0, 4.0]"
+
+    # Invalid second vector: 5 bytes, not divisible by 4 (sizeof float32)
+    # This will fail in fvec_from_value with "invalid float32 vector BLOB length"
+    invalid_vector = b"\x01\x02\x03\x04\x05"
+
+    with pytest.raises(sqlite3.OperationalError, match=r"^Error reading 2nd vector: invalid float32 vector BLOB length\. Must be divisible by 4, found 5$"):
+        db.execute(
+            "select vec_distance_cosine(?, ?)",
+            [valid_vector_json, invalid_vector]
+        ).fetchone()
+
+
 def test_vec_distance_hamming():
     vec_distance_hamming = lambda *args: db.execute(
         "select vec_distance_hamming(vec_bit(?), vec_bit(?))", args

Original file line number	Diff line number	Diff line change
`@@ -1137,7 +1137,7 @@ int ensure_vector_match(sqlite3_value aValue, sqlite3_value bValue, void **a,`
`1137`	`1137`	`if (rc != SQLITE_OK) {`
`1138`	`1138`	`*outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);`
`1139`	`1139`	`sqlite3_free(error);`
`1140`		`- aCleanup(a);`
	`1140`	`+ aCleanup(*a);`
`1141`	`1141`	`return SQLITE_ERROR;`
`1142`	`1142`	`}`
`1143`	`1143`