SQLite Forum

coverity scan issues
Login

coverity scan issues

(1) By Ondrej Dubaj (odubaj) on 2021-05-03 08:12:34 [link] [source]

Hello,

proposing small fixes for issues found by ours coverity scanner during static analysis of code.

diff --git a/ext/misc/decimal.c b/ext/misc/decimal.c
index a8d68ac..ed16227 100644
--- a/ext/misc/decimal.c
+++ b/ext/misc/decimal.c
@@ -459,7 +459,10 @@ static void decimalSubFunc(
   Decimal *pA = decimal_new(context, argv[0], 0, 0);
   Decimal *pB = decimal_new(context, argv[1], 0, 0);
   UNUSED_PARAMETER(argc);
-  if( pB==0 ) return;
+  if( pB==0 ) {
+    decimal_free(pA);
+    return;
+  }
   pB->sign = !pB->sign;
   decimal_add(pA, pB);
   decimal_result(context, pA);
diff --git a/src/shell.c.in b/src/shell.c.in
index 2d98d23..7db5ff8 100644
--- a/src/shell.c.in
+++ b/src/shell.c.in
@@ -3843,9 +3843,9 @@ static int run_schema_dump_query(
     }else{
       rc = SQLITE_CORRUPT;
     }
-    sqlite3_free(zErr);
     free(zQ2);
   }
+  sqlite3_free(zErr);
   return rc;
 }
 
@@ -6715,6 +6715,7 @@ static void shellExec(sqlite3 *db, int *pRc, const char *zSql){
     if( rc!=SQLITE_OK ){
       raw_printf(stderr, "SQL error: %s\n", zErr);
     }
+    sqlite3_free(zErr);
     *pRc = rc;
   }
 }
@@ -8063,6 +8064,7 @@ static int do_meta_command(char *zLine, ShellState *p){
       shell_exec(&data, "SELECT * FROM sqlite_stat4", &zErrMsg);
       raw_printf(p->out, "ANALYZE sqlite_schema;\n");
     }
+    sqlite3_free(zErrMsg);
   }else
 
   if( c=='h' && strncmp(azArg[0], "headers", n)==0 ){




Also adding the full report from the scan. Most of the issues I consider as false positives, or low priority problems. The ones I consider as problems are fixed by the provided patch. could you please confirm my thoughts ?

Thank you.

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/shell.c:4963: alloc_fn: Storage is returned from allocation function "decimal_new".
sqlite-src-3350500/shell.c:4963: var_assign: Assigning: "pA" = storage returned from "decimal_new(context, argv[0], 0, NULL)".
sqlite-src-3350500/shell.c:4966: leaked_storage: Variable "pA" going out of scope leaks the storage it points to.
# 4964|     Decimal *pB = decimal_new(context, argv[1], 0, 0);
# 4965|     UNUSED_PARAMETER(argc);
# 4966|->   if( pB==0 ) return;
# 4967|     pB->sign = !pB->sign;
# 4968|     decimal_add(pA, pB);

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/shell.c:7131: freed_arg: "zipfileResetCursor" frees "pCsr->pFreeEntry".
sqlite-src-3350500/shell.c:7169: use_after_free: Using freed pointer "pCsr->pFreeEntry".
# 7167|     }else{
# 7168|       pCsr->bNoop = 1;
# 7169|->     pCsr->pCurrent = pCsr->pFreeEntry ? pCsr->pFreeEntry : pTab->pFirstEntry;
# 7170|       rc = zipfileNext(cur);
# 7171|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/shell.c:10206: alias: Assigning: "pScanOrig" = "p->pScan". Now both point to the same storage.
sqlite-src-3350500/shell.c:10237: freed_arg: "idxScanFree" frees "p->pScan".
sqlite-src-3350500/shell.c:10239: use_after_free: Using freed pointer "pScanOrig".
#10237|       idxScanFree(p->pScan, pScanOrig);
#10238|       idxStatementFree(p->pStatement, pStmtOrig);
#10239|->     p->pScan = pScanOrig;
#10240|       p->pStatement = pStmtOrig;
#10241|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/shell.c:10207: alias: Assigning: "pStmtOrig" = "p->pStatement". Now both point to the same storage.
sqlite-src-3350500/shell.c:10238: freed_arg: "idxStatementFree" frees "p->pStatement".
sqlite-src-3350500/shell.c:10240: use_after_free: Using freed pointer "pStmtOrig".
#10238|       idxStatementFree(p->pStatement, pStmtOrig);
#10239|       p->pScan = pScanOrig;
#10240|->     p->pStatement = pStmtOrig;
#10241|     }
#10242|   

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/shell.c:13981: alloc_arg: "sqlite3_exec" allocates memory that is stored into "zErr". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/shell.c:14003: leaked_storage: Variable "zErr" going out of scope leaks the storage it points to.
#14001|       free(zQ2);
#14002|     }
#14003|->   return rc;
#14004|   }
#14005|   

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/shell.c:16872: alloc_arg: "sqlite3_exec" allocates memory that is stored into "zErr". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/shell.c:16874: noescape: Resource "zErr" is not freed or pointed-to in "fprintf". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/shell.c:16877: leaked_storage: Variable "zErr" going out of scope leaks the storage it points to.
#16875|       }
#16876|       *pRc = rc;
#16877|->   }
#16878|   }
#16879|   

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/shell.c:18195: alloc_arg: "sqlite3_exec" allocates memory that is stored into "zErrMsg". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/shell.c:18226: leaked_storage: Variable "zErrMsg" going out of scope leaks the storage it points to.
#18224|         raw_printf(p->out, "ANALYZE sqlite_schema;\n");
#18225|       }
#18226|->   }else
#18227|   
#18228|     if( c=='h' && strncmp(azArg[0], "headers", n)==0 ){

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:61126: freed_arg: "walIndexAppend" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:61140: use_after_free: Using freed pointer "pWal->apWiData".
#61138|           }
#61139|         }
#61140|->       pWal->apWiData[iPg] = aShare;
#61141|         nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
#61142|         nHdr32 = nHdr / sizeof(u32);

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:62019: freed_arg: "sqlite3WalCheckpoint" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:62052: double_free: Calling "sqlite3_free" frees pointer "pWal->apWiData" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#62050|       }
#62051|       WALTRACE(("WAL%p: closed\n", pWal));
#62052|->     sqlite3_free((void *)pWal->apWiData);
#62053|       sqlite3_free(pWal);
#62054|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63466: double_free: Calling "sqlite3WalFindFrame" frees pointer "pWal->apWiData" which has already been freed.
#63464|       if( iFirst && (p->pDirty || isCommit==0) ){
#63465|         u32 iWrite = 0;
#63466|->       VVA_ONLY(rc =) sqlite3WalFindFrame(pWal, p->pgno, &iWrite);
#63467|         assert( rc==SQLITE_OK || iWrite==0 );
#63468|         if( iWrite>=iFirst ){

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63555: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63553|       if( (p->flags & PGHDR_WAL_APPEND)==0 ) continue;
#63554|       iFrame++;
#63555|->     rc = walIndexAppend(pWal, iFrame, p->pgno);
#63556|     }
#63557|     assert( pLast!=0 || nExtra==0 );

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63561: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63559|       iFrame++;
#63560|       nExtra--;
#63561|->     rc = walIndexAppend(pWal, iFrame, pLast->pgno);
#63562|     }
#63563|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63576: deref_arg: Calling "walIndexWriteHdr" dereferences freed pointer "pWal->apWiData".
#63574|       /* If this is a commit, update the wal-index header too. */
#63575|       if( isCommit ){
#63576|->       walIndexWriteHdr(pWal);
#63577|         pWal->iCallback = iFrame;
#63578|       }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:76716: freed_arg: "sqlite3Realloc" frees "pMem->z".
sqlite-src-3350500/sqlite3.c:76717: double_free: Calling "sqlite3_free" frees pointer "pMem->z" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#76715|       }else{
#76716|         pMem->zMalloc = sqlite3Realloc(pMem->z, n);
#76717|->       if( pMem->zMalloc==0 ) sqlite3_free(pMem->z);
#76718|         pMem->z = pMem->zMalloc;
#76719|       }

Error: BAD_FREE (CWE-590):
sqlite-src-3350500/sqlite3.c:138471: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3.c:138484: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3.c:138491: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
#138469|     res.azResult[0] = SQLITE_INT_TO_PTR(res.nData);
#138470|     if( (rc&0xff)==SQLITE_ABORT ){
#138471|->     sqlite3_free_table(&res.azResult[1]);
#138472|       if( res.zErrMsg ){
#138473|         if( pzErrMsg ){

Error: COPY_PASTE_ERROR (CWE-398):
sqlite-src-3350500/sqlite3.c:156200: original: "pMWin->regStartRowid" looks like the original copy.
sqlite-src-3350500/sqlite3.c:156212: copy_paste_error: "regStartRowid" in "pMWin->regStartRowid" looks like a copy-paste error.
sqlite-src-3350500/sqlite3.c:156212: remediation: Should it say "regEndRowid" instead?
#156210|         csr = p->end.csr;
#156211|         reg = p->end.reg;
#156212|->       if( pMWin->regStartRowid ){
#156213|           assert( pMWin->regEndRowid );
#156214|           sqlite3VdbeAddOp2(v, OP_AddImm, pMWin->regEndRowid, 1);

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3.c:172917: alloc_arg: "fts3DoclistOrMerge" allocates memory that is stored into "aNew".
sqlite-src-3350500/sqlite3.c:172929: var_assign: Assigning: "aMerge" = "aNew".
sqlite-src-3350500/sqlite3.c:172935: leaked_storage: Variable "aNew" going out of scope leaks the storage it points to.
sqlite-src-3350500/sqlite3.c:172937: leaked_storage: Variable "aMerge" going out of scope leaks the storage it points to.
#172935|         }
#172936|       }
#172937|->   }
#172938|     return SQLITE_OK;
#172939|   }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:176512: freed_arg: "sqlite3_free" frees "pCsr->filter.zTerm". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3.c:176547: pass_freed_arg: Passing freed pointer "pCsr->filter.zTerm" as an argument to "sqlite3Fts3SegReaderCursor".
#176545|     pCsr->iLangid = iLangVal;
#176546|   
#176547|->   rc = sqlite3Fts3SegReaderCursor(pFts3, iLangVal, 0, FTS3_SEGCURSOR_ALL,
#176548|         pCsr->filter.zTerm, pCsr->filter.nTerm, 0, isScan, &pCsr->csr
#176549|     );

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3.c:176983: alloc_fn: Storage is returned from allocation function "fts3ReallocOrFree".
sqlite-src-3350500/sqlite3.c:176983: var_assign: Assigning: "zTemp" = storage returned from "fts3ReallocOrFree(zTemp, nTemp + nByte)".
sqlite-src-3350500/sqlite3.c:176990: noescape: Resource "&zTemp[nTemp]" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3.c:177032: leaked_storage: Variable "zTemp" going out of scope leaks the storage it points to.
#177030|   
#177031|     *ppExpr = p;
#177032|->   return rc;
#177033|   no_mem:
#177034|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:227752: freed_arg: "fts5FreeCursorComponents" frees "pCsr->pExpr".
sqlite-src-3350500/sqlite3.c:227877: deref_arg: Calling "fts5CursorFirst" dereferences freed pointer "pCsr->pExpr".
#227875|         }else{
#227876|           pCsr->ePlan = FTS5_PLAN_MATCH;
#227877|->         rc = fts5CursorFirst(pTab, pCsr, bDesc);
#227878|         }
#227879|       }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:61150: freed_arg: "walIndexAppend" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:61164: use_after_free: Using freed pointer "pWal->apWiData".
#61162|           }
#61163|         }
#61164|->       pWal->apWiData[iPg] = aShare;
#61165|         nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
#61166|         nHdr32 = nHdr / sizeof(u32);

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:62043: freed_arg: "sqlite3WalCheckpoint" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:62076: double_free: Calling "sqlite3_free" frees pointer "pWal->apWiData" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#62074|       }
#62075|       WALTRACE(("WAL%p: closed\n", pWal));
#62076|->     sqlite3_free((void *)pWal->apWiData);
#62077|       sqlite3_free(pWal);
#62078|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63490: double_free: Calling "sqlite3WalFindFrame" frees pointer "pWal->apWiData" which has already been freed.
#63488|       if( iFirst && (p->pDirty || isCommit==0) ){
#63489|         u32 iWrite = 0;
#63490|->       VVA_ONLY(rc =) sqlite3WalFindFrame(pWal, p->pgno, &iWrite);
#63491|         assert( rc==SQLITE_OK || iWrite==0 );
#63492|         if( iWrite>=iFirst ){

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63579: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63577|       if( (p->flags & PGHDR_WAL_APPEND)==0 ) continue;
#63578|       iFrame++;
#63579|->     rc = walIndexAppend(pWal, iFrame, p->pgno);
#63580|     }
#63581|     assert( pLast!=0 || nExtra==0 );

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63585: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63583|       iFrame++;
#63584|       nExtra--;
#63585|->     rc = walIndexAppend(pWal, iFrame, pLast->pgno);
#63586|     }
#63587|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63600: deref_arg: Calling "walIndexWriteHdr" dereferences freed pointer "pWal->apWiData".
#63598|       /* If this is a commit, update the wal-index header too. */
#63599|       if( isCommit ){
#63600|->       walIndexWriteHdr(pWal);
#63601|         pWal->iCallback = iFrame;
#63602|       }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:76740: freed_arg: "sqlite3Realloc" frees "pMem->z".
sqlite-src-3350500/sqlite3_analyzer.c:76741: double_free: Calling "sqlite3_free" frees pointer "pMem->z" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#76739|       }else{
#76740|         pMem->zMalloc = sqlite3Realloc(pMem->z, n);
#76741|->       if( pMem->zMalloc==0 ) sqlite3_free(pMem->z);
#76742|         pMem->z = pMem->zMalloc;
#76743|       }

Error: BAD_FREE (CWE-590):
sqlite-src-3350500/sqlite3_analyzer.c:138495: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3_analyzer.c:138508: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3_analyzer.c:138515: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
#138493|     res.azResult[0] = SQLITE_INT_TO_PTR(res.nData);
#138494|     if( (rc&0xff)==SQLITE_ABORT ){
#138495|->     sqlite3_free_table(&res.azResult[1]);
#138496|       if( res.zErrMsg ){
#138497|         if( pzErrMsg ){

Error: COPY_PASTE_ERROR (CWE-398):
sqlite-src-3350500/sqlite3_analyzer.c:156224: original: "pMWin->regStartRowid" looks like the original copy.
sqlite-src-3350500/sqlite3_analyzer.c:156236: copy_paste_error: "regStartRowid" in "pMWin->regStartRowid" looks like a copy-paste error.
sqlite-src-3350500/sqlite3_analyzer.c:156236: remediation: Should it say "regEndRowid" instead?
#156234|         csr = p->end.csr;
#156235|         reg = p->end.reg;
#156236|->       if( pMWin->regStartRowid ){
#156237|           assert( pMWin->regEndRowid );
#156238|           sqlite3VdbeAddOp2(v, OP_AddImm, pMWin->regEndRowid, 1);

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3_analyzer.c:172941: alloc_arg: "fts3DoclistOrMerge" allocates memory that is stored into "aNew".
sqlite-src-3350500/sqlite3_analyzer.c:172953: var_assign: Assigning: "aMerge" = "aNew".
sqlite-src-3350500/sqlite3_analyzer.c:172959: leaked_storage: Variable "aNew" going out of scope leaks the storage it points to.
sqlite-src-3350500/sqlite3_analyzer.c:172961: leaked_storage: Variable "aMerge" going out of scope leaks the storage it points to.
#172959|         }
#172960|       }
#172961|->   }
#172962|     return SQLITE_OK;
#172963|   }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:176536: freed_arg: "sqlite3_free" frees "pCsr->filter.zTerm". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3_analyzer.c:176571: pass_freed_arg: Passing freed pointer "pCsr->filter.zTerm" as an argument to "sqlite3Fts3SegReaderCursor".
#176569|     pCsr->iLangid = iLangVal;
#176570|   
#176571|->   rc = sqlite3Fts3SegReaderCursor(pFts3, iLangVal, 0, FTS3_SEGCURSOR_ALL,
#176572|         pCsr->filter.zTerm, pCsr->filter.nTerm, 0, isScan, &pCsr->csr
#176573|     );

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3_analyzer.c:177007: alloc_fn: Storage is returned from allocation function "fts3ReallocOrFree".
sqlite-src-3350500/sqlite3_analyzer.c:177007: var_assign: Assigning: "zTemp" = storage returned from "fts3ReallocOrFree(zTemp, nTemp + nByte)".
sqlite-src-3350500/sqlite3_analyzer.c:177014: noescape: Resource "&zTemp[nTemp]" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3_analyzer.c:177056: leaked_storage: Variable "zTemp" going out of scope leaks the storage it points to.
#177054|   
#177055|     *ppExpr = p;
#177056|->   return rc;
#177057|   no_mem:
#177058|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:227776: freed_arg: "fts5FreeCursorComponents" frees "pCsr->pExpr".
sqlite-src-3350500/sqlite3_analyzer.c:227901: deref_arg: Calling "fts5CursorFirst" dereferences freed pointer "pCsr->pExpr".
#227899|         }else{
#227900|           pCsr->ePlan = FTS5_PLAN_MATCH;
#227901|->         rc = fts5CursorFirst(pTab, pCsr, bDesc);
#227902|         }
#227903|       }

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/tool/lemon.c:3539: alloc_fn: Storage is returned from allocation function "malloc".
sqlite-src-3350500/tool/lemon.c:3539: var_assign: Assigning: "pathbuf" = storage returned from "malloc((int)strlen(pathlist) + 1)".
sqlite-src-3350500/tool/lemon.c:3558: leaked_storage: Variable "pathbuf" going out of scope leaks the storage it points to.
# 3556|       free(pathbufptr);
# 3557|     }
# 3558|->   return path;
# 3559|   }
# 3560|

(2) By Ondrej Dubaj (odubaj) on 2021-05-03 11:41:32 in reply to 1 [source]

Results of testing with applied patch:

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/shell.c:7131: freed_arg: "zipfileResetCursor" frees "pCsr->pFreeEntry".
sqlite-src-3350500/shell.c:7169: use_after_free: Using freed pointer "pCsr->pFreeEntry".
# 7167|     }else{
# 7168|       pCsr->bNoop = 1;
# 7169|->     pCsr->pCurrent = pCsr->pFreeEntry ? pCsr->pFreeEntry : pTab->pFirstEntry;
# 7170|       rc = zipfileNext(cur);
# 7171|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/shell.c:10206: alias: Assigning: "pScanOrig" = "p->pScan". Now both point to the same storage.
sqlite-src-3350500/shell.c:10237: freed_arg: "idxScanFree" frees "p->pScan".
sqlite-src-3350500/shell.c:10239: use_after_free: Using freed pointer "pScanOrig".
#10237|       idxScanFree(p->pScan, pScanOrig);
#10238|       idxStatementFree(p->pStatement, pStmtOrig);
#10239|->     p->pScan = pScanOrig;
#10240|       p->pStatement = pStmtOrig;
#10241|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/shell.c:10207: alias: Assigning: "pStmtOrig" = "p->pStatement". Now both point to the same storage.
sqlite-src-3350500/shell.c:10238: freed_arg: "idxStatementFree" frees "p->pStatement".
sqlite-src-3350500/shell.c:10240: use_after_free: Using freed pointer "pStmtOrig".
#10238|       idxStatementFree(p->pStatement, pStmtOrig);
#10239|       p->pScan = pScanOrig;
#10240|->     p->pStatement = pStmtOrig;
#10241|     }
#10242|    

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:61126: freed_arg: "walIndexAppend" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:61140: use_after_free: Using freed pointer "pWal->apWiData".
#61138|           }
#61139|         }
#61140|->       pWal->apWiData[iPg] = aShare;
#61141|         nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
#61142|         nHdr32 = nHdr / sizeof(u32);

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:62019: freed_arg: "sqlite3WalCheckpoint" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:62052: double_free: Calling "sqlite3_free" frees pointer "pWal->apWiData" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#62050|       }
#62051|       WALTRACE(("WAL%p: closed\n", pWal));
#62052|->     sqlite3_free((void *)pWal->apWiData);
#62053|       sqlite3_free(pWal);
#62054|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63466: double_free: Calling "sqlite3WalFindFrame" frees pointer "pWal->apWiData" which has already been freed.
#63464|       if( iFirst && (p->pDirty || isCommit==0) ){
#63465|         u32 iWrite = 0;
#63466|->       VVA_ONLY(rc =) sqlite3WalFindFrame(pWal, p->pgno, &iWrite);
#63467|         assert( rc==SQLITE_OK || iWrite==0 );
#63468|         if( iWrite>=iFirst ){

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63555: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63553|       if( (p->flags & PGHDR_WAL_APPEND)==0 ) continue;
#63554|       iFrame++;
#63555|->     rc = walIndexAppend(pWal, iFrame, p->pgno);
#63556|     }
#63557|     assert( pLast!=0 || nExtra==0 );

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63561: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63559|       iFrame++;
#63560|       nExtra--;
#63561|->     rc = walIndexAppend(pWal, iFrame, pLast->pgno);
#63562|     }
#63563|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:63466: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3.c:63576: deref_arg: Calling "walIndexWriteHdr" dereferences freed pointer "pWal->apWiData".
#63574|       /* If this is a commit, update the wal-index header too. */
#63575|       if( isCommit ){
#63576|->       walIndexWriteHdr(pWal);
#63577|         pWal->iCallback = iFrame;
#63578|       }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:76716: freed_arg: "sqlite3Realloc" frees "pMem->z".
sqlite-src-3350500/sqlite3.c:76717: double_free: Calling "sqlite3_free" frees pointer "pMem->z" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#76715|       }else{
#76716|         pMem->zMalloc = sqlite3Realloc(pMem->z, n);
#76717|->       if( pMem->zMalloc==0 ) sqlite3_free(pMem->z);
#76718|         pMem->z = pMem->zMalloc;
#76719|       }

Error: BAD_FREE (CWE-590):
sqlite-src-3350500/sqlite3.c:138471: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3.c:138484: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3.c:138491: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
#138469|     res.azResult[0] = SQLITE_INT_TO_PTR(res.nData);
#138470|     if( (rc&0xff)==SQLITE_ABORT ){
#138471|->     sqlite3_free_table(&res.azResult[1]);
#138472|       if( res.zErrMsg ){
#138473|         if( pzErrMsg ){

Error: COPY_PASTE_ERROR (CWE-398):
sqlite-src-3350500/sqlite3.c:156200: original: "pMWin->regStartRowid" looks like the original copy.
sqlite-src-3350500/sqlite3.c:156212: copy_paste_error: "regStartRowid" in "pMWin->regStartRowid" looks like a copy-paste error.
sqlite-src-3350500/sqlite3.c:156212: remediation: Should it say "regEndRowid" instead?
#156210|         csr = p->end.csr;
#156211|         reg = p->end.reg;
#156212|->       if( pMWin->regStartRowid ){
#156213|           assert( pMWin->regEndRowid );
#156214|           sqlite3VdbeAddOp2(v, OP_AddImm, pMWin->regEndRowid, 1);

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3.c:172917: alloc_arg: "fts3DoclistOrMerge" allocates memory that is stored into "aNew".
sqlite-src-3350500/sqlite3.c:172929: var_assign: Assigning: "aMerge" = "aNew".
sqlite-src-3350500/sqlite3.c:172935: leaked_storage: Variable "aNew" going out of scope leaks the storage it points to.
sqlite-src-3350500/sqlite3.c:172937: leaked_storage: Variable "aMerge" going out of scope leaks the storage it points to.
#172935|         }
#172936|       }
#172937|->   }
#172938|     return SQLITE_OK;
#172939|   }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:176512: freed_arg: "sqlite3_free" frees "pCsr->filter.zTerm". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3.c:176547: pass_freed_arg: Passing freed pointer "pCsr->filter.zTerm" as an argument to "sqlite3Fts3SegReaderCursor".
#176545|     pCsr->iLangid = iLangVal;
#176546|   
#176547|->   rc = sqlite3Fts3SegReaderCursor(pFts3, iLangVal, 0, FTS3_SEGCURSOR_ALL,
#176548|         pCsr->filter.zTerm, pCsr->filter.nTerm, 0, isScan, &pCsr->csr
#176549|     );

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3.c:176983: alloc_fn: Storage is returned from allocation function "fts3ReallocOrFree".
sqlite-src-3350500/sqlite3.c:176983: var_assign: Assigning: "zTemp" = storage returned from "fts3ReallocOrFree(zTemp, nTemp + nByte)".
sqlite-src-3350500/sqlite3.c:176990: noescape: Resource "&zTemp[nTemp]" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3.c:177032: leaked_storage: Variable "zTemp" going out of scope leaks the storage it points to.
#177030|   
#177031|     *ppExpr = p;
#177032|->   return rc;
#177033|   no_mem:
#177034|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3.c:227752: freed_arg: "fts5FreeCursorComponents" frees "pCsr->pExpr".
sqlite-src-3350500/sqlite3.c:227877: deref_arg: Calling "fts5CursorFirst" dereferences freed pointer "pCsr->pExpr".
#227875|         }else{
#227876|           pCsr->ePlan = FTS5_PLAN_MATCH;
#227877|->         rc = fts5CursorFirst(pTab, pCsr, bDesc);
#227878|         }
#227879|       }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:61150: freed_arg: "walIndexAppend" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:61164: use_after_free: Using freed pointer "pWal->apWiData".
#61162|           }
#61163|         }
#61164|->       pWal->apWiData[iPg] = aShare;
#61165|         nHdr = (iPg==0 ? WALINDEX_HDR_SIZE : 0);
#61166|         nHdr32 = nHdr / sizeof(u32);

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:62043: freed_arg: "sqlite3WalCheckpoint" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:62076: double_free: Calling "sqlite3_free" frees pointer "pWal->apWiData" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#62074|       }
#62075|       WALTRACE(("WAL%p: closed\n", pWal));
#62076|->     sqlite3_free((void *)pWal->apWiData);
#62077|       sqlite3_free(pWal);
#62078|     }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63490: double_free: Calling "sqlite3WalFindFrame" frees pointer "pWal->apWiData" which has already been freed.
#63488|       if( iFirst && (p->pDirty || isCommit==0) ){
#63489|         u32 iWrite = 0;
#63490|->       VVA_ONLY(rc =) sqlite3WalFindFrame(pWal, p->pgno, &iWrite);
#63491|         assert( rc==SQLITE_OK || iWrite==0 );
#63492|         if( iWrite>=iFirst ){

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63579: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63577|       if( (p->flags & PGHDR_WAL_APPEND)==0 ) continue;
#63578|       iFrame++;
#63579|->     rc = walIndexAppend(pWal, iFrame, p->pgno);
#63580|     }
#63581|     assert( pLast!=0 || nExtra==0 );

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63585: double_free: Calling "walIndexAppend" frees pointer "pWal->apWiData" which has already been freed.
#63583|       iFrame++;
#63584|       nExtra--;
#63585|->     rc = walIndexAppend(pWal, iFrame, pLast->pgno);
#63586|     }
#63587|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:63490: freed_arg: "sqlite3WalFindFrame" frees "pWal->apWiData".
sqlite-src-3350500/sqlite3_analyzer.c:63600: deref_arg: Calling "walIndexWriteHdr" dereferences freed pointer "pWal->apWiData".
#63598|       /* If this is a commit, update the wal-index header too. */
#63599|       if( isCommit ){
#63600|->       walIndexWriteHdr(pWal);
#63601|         pWal->iCallback = iFrame;
#63602|       }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:76740: freed_arg: "sqlite3Realloc" frees "pMem->z".
sqlite-src-3350500/sqlite3_analyzer.c:76741: double_free: Calling "sqlite3_free" frees pointer "pMem->z" which has already been freed. [Note: The source code implementation of the function has been overridden by a builtin model.]
#76739|       }else{
#76740|         pMem->zMalloc = sqlite3Realloc(pMem->z, n);
#76741|->       if( pMem->zMalloc==0 ) sqlite3_free(pMem->z);
#76742|         pMem->z = pMem->zMalloc;
#76743|       }

Error: BAD_FREE (CWE-590):
sqlite-src-3350500/sqlite3_analyzer.c:138495: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3_analyzer.c:138508: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
sqlite-src-3350500/sqlite3_analyzer.c:138515: address_free: "sqlite3_free_table" frees address of "res.azResult[1]".
#138493|     res.azResult[0] = SQLITE_INT_TO_PTR(res.nData);
#138494|     if( (rc&0xff)==SQLITE_ABORT ){
#138495|->     sqlite3_free_table(&res.azResult[1]);
#138496|       if( res.zErrMsg ){
#138497|         if( pzErrMsg ){

Error: COPY_PASTE_ERROR (CWE-398):
sqlite-src-3350500/sqlite3_analyzer.c:156224: original: "pMWin->regStartRowid" looks like the original copy.
sqlite-src-3350500/sqlite3_analyzer.c:156236: copy_paste_error: "regStartRowid" in "pMWin->regStartRowid" looks like a copy-paste error.
sqlite-src-3350500/sqlite3_analyzer.c:156236: remediation: Should it say "regEndRowid" instead?
#156234|         csr = p->end.csr;
#156235|         reg = p->end.reg;
#156236|->       if( pMWin->regStartRowid ){
#156237|           assert( pMWin->regEndRowid );
#156238|           sqlite3VdbeAddOp2(v, OP_AddImm, pMWin->regEndRowid, 1);

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3_analyzer.c:172941: alloc_arg: "fts3DoclistOrMerge" allocates memory that is stored into "aNew".
sqlite-src-3350500/sqlite3_analyzer.c:172953: var_assign: Assigning: "aMerge" = "aNew".
sqlite-src-3350500/sqlite3_analyzer.c:172959: leaked_storage: Variable "aNew" going out of scope leaks the storage it points to.
sqlite-src-3350500/sqlite3_analyzer.c:172961: leaked_storage: Variable "aMerge" going out of scope leaks the storage it points to.
#172959|         }
#172960|       }
#172961|->   }
#172962|     return SQLITE_OK;
#172963|   }

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:176536: freed_arg: "sqlite3_free" frees "pCsr->filter.zTerm". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3_analyzer.c:176571: pass_freed_arg: Passing freed pointer "pCsr->filter.zTerm" as an argument to "sqlite3Fts3SegReaderCursor".
#176569|     pCsr->iLangid = iLangVal;
#176570|   
#176571|->   rc = sqlite3Fts3SegReaderCursor(pFts3, iLangVal, 0, FTS3_SEGCURSOR_ALL,
#176572|         pCsr->filter.zTerm, pCsr->filter.nTerm, 0, isScan, &pCsr->csr
#176573|     );

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/sqlite3_analyzer.c:177007: alloc_fn: Storage is returned from allocation function "fts3ReallocOrFree".
sqlite-src-3350500/sqlite3_analyzer.c:177007: var_assign: Assigning: "zTemp" = storage returned from "fts3ReallocOrFree(zTemp, nTemp + nByte)".
sqlite-src-3350500/sqlite3_analyzer.c:177014: noescape: Resource "&zTemp[nTemp]" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
sqlite-src-3350500/sqlite3_analyzer.c:177056: leaked_storage: Variable "zTemp" going out of scope leaks the storage it points to.
#177054|   
#177055|     *ppExpr = p;
#177056|->   return rc;
#177057|   no_mem:
#177058|   

Error: USE_AFTER_FREE (CWE-416):
sqlite-src-3350500/sqlite3_analyzer.c:227776: freed_arg: "fts5FreeCursorComponents" frees "pCsr->pExpr".
sqlite-src-3350500/sqlite3_analyzer.c:227901: deref_arg: Calling "fts5CursorFirst" dereferences freed pointer "pCsr->pExpr".
#227899|         }else{
#227900|           pCsr->ePlan = FTS5_PLAN_MATCH;
#227901|->         rc = fts5CursorFirst(pTab, pCsr, bDesc);
#227902|         }
#227903|       }

Error: RESOURCE_LEAK (CWE-772):
sqlite-src-3350500/tool/lemon.c:3539: alloc_fn: Storage is returned from allocation function "malloc".
sqlite-src-3350500/tool/lemon.c:3539: var_assign: Assigning: "pathbuf" = storage returned from "malloc((int)strlen(pathlist) + 1)".
sqlite-src-3350500/tool/lemon.c:3558: leaked_storage: Variable "pathbuf" going out of scope leaks the storage it points to.
# 3556|       free(pathbufptr);
# 3557|     }
# 3558|->   return path;
# 3559|   }
# 3560|

(3) By Ondrej Dubaj (odubaj) on 2021-07-08 05:55:30 in reply to 2 [link] [source]

Gentle ping

(4) By Richard Hipp (drh) on 2021-07-08 12:38:22 in reply to 3 [link] [source]