From 4ce1ef3c6fda2a5c1986ef9505a15ad9cbd6b761 Mon Sep 17 00:00:00 2001
From: Alex Garcia <alexsebastian.garcia@gmail.com>
Date: Mon, 2 Mar 2026 20:50:54 -0800
Subject: [PATCH] =?UTF-8?q?Fix=20bad-free=20in=20ensure=5Fvector=5Fmatch:?=
 =?UTF-8?q?=20aCleanup(a)=20=E2=86=92=20aCleanup(*a)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the second vector argument fails to parse, the cleanup of the
first vector was called with the double-pointer 'a' instead of '*a'.
When the first vector was parsed from JSON text (cleanup = sqlite3_free),
this called sqlite3_free on a stack address, causing a crash.

Found by the vec-mismatch fuzz target.

Shout out to @renatgalimov in #257 for finding the original bug!

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 sqlite-vec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sqlite-vec.c b/sqlite-vec.c
index f2e02f0..cc09078 100644
--- a/sqlite-vec.c
+++ b/sqlite-vec.c
@@ -1028,7 +1028,7 @@ int ensure_vector_match(sqlite3_value *aValue, sqlite3_value *bValue, void **a,
   if (rc != SQLITE_OK) {
     *outError = sqlite3_mprintf("Error reading 2nd vector: %s", error);
     sqlite3_free(error);
-    aCleanup(a);
+    aCleanup(*a);
     return SQLITE_ERROR;
   }