Pass correct pointer to cleanup in ensure_vector_match error path

renatgalimov · mceachen · commit 5008551b77c9 · 2026-02-04T20:17:45.000-08:00
When the second vector fails to parse in ensure_vector_match(), the cleanup function for the first vector was called with 'a' (void**) instead of '*a' (void*). This caused sqlite3_free to be called with a stack address instead of the heap-allocated vector, resulting in a crash:

    malloc: Non-aligned pointer being freed
    Fatal error 6: Aborted

The fix dereferences the pointer correctly, matching how cleanup is
done in other error paths.

This fix has a unit test that will crash without the patch.
diff --git a/sqlite-vec.c b/sqlite-vec.c
@@ -1155,7 +1155,7 @@ int ensure_vector_match(sqlite3_value *aValue, sqlite3_value *bValue, void **a,
   if (rc != SQLITE_OK) {
     *outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);
     sqlite3_free(error);
-    aCleanup(a);
+    aCleanup(*a);
     return SQLITE_ERROR;
   }
 
diff --git a/tests/test-loadable.py b/tests/test-loadable.py
@@ -480,6 +480,31 @@ def test_vec_distance_cosine_zero_vector():
     assert vec_distance_cosine_bit(b"\xff", b"\x00") == 1.0
     assert vec_distance_cosine_bit(b"\x00", b"\x00") == 1.0
 
+def test_ensure_vector_match_cleanup_on_second_vector_error():
+    """
+    Test that ensure_vector_match properly cleans up the first vector
+    when the second vector fails to parse.
+
+    This tests the fix for a bug where aCleanup(a) was called instead of
+    aCleanup(*a), passing the wrong pointer to the cleanup function.
+
+    The bug only manifests when the first vector is parsed from JSON/TEXT
+    (which uses sqlite3_free as cleanup) rather than BLOB (which uses noop).
+    """
+    # Valid first vector as JSON text - this causes memory allocation
+    # and sets cleanup to sqlite3_free
+    valid_vector_json = "[1.0, 2.0, 3.0, 4.0]"
+
+    # Invalid second vector: 5 bytes, not divisible by 4 (sizeof float32)
+    # This will fail in fvec_from_value with "invalid float32 vector BLOB length"
+    invalid_vector = b"\x01\x02\x03\x04\x05"
+
+    with pytest.raises(sqlite3.OperationalError, match=r"^Error reading 2nd vector: invalid float32 vector BLOB length\. Must be divisible by 4, found 5$"):
+        db.execute(
+            "select vec_distance_cosine(?, ?)",
+            [valid_vector_json, invalid_vector]
+        ).fetchone()
+
 def test_vec_distance_hamming():
     vec_distance_hamming = lambda *args: db.execute(
         "select vec_distance_hamming(vec_bit(?), vec_bit(?))", args

Original file line number	Diff line number	Diff line change
`@@ -1155,7 +1155,7 @@ int ensure_vector_match(sqlite3_value aValue, sqlite3_value bValue, void **a,`
`1155`	`1155`	`if (rc != SQLITE_OK) {`
`1156`	`1156`	`*outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);`
`1157`	`1157`	`sqlite3_free(error);`
`1158`		`- aCleanup(a);`
	`1158`	`+ aCleanup(*a);`
`1159`	`1159`	`return SQLITE_ERROR;`
`1160`	`1160`	`}`
`1161`	`1161`