potential memory leak: forgetting to free error message of libsqlite3 API 'sqlite3_exec' -1

hughsie / colord

Making color management just work

GNU General Public License v2.0

75 stars 51 forks source link

potential memory leak: forgetting to free error message of libsqlite3 API 'sqlite3_exec' -1 #110

Closed Zero0one1 closed 3 years ago

Zero0one1 commented 4 years ago

According to libsqlite3 API document, "To avoid memory leaks, the application should invoke sqlite3_free() on error message strings returned through the 5th parameter of sqlite3_exec() after the error message string is no longer needed."

https://github.com/hughsie/colord/blob/1572d92bb69de7632841bf17f3cb81534881c3c6/src/cd-device-db.c#L93-L103

Zero0one1 commented 4 years ago

Here is another issue: https://github.com/hughsie/colord/blob/1572d92bb69de7632841bf17f3cb81534881c3c6/src/cd-profile-db.c#L81-L92

hughsie commented 4 years ago

Seeing as both errors seems to be ignored, can we just set the 5th param to NULL? If so, I'd love a pull request with that fix please.

Zero0one1 commented 4 years ago

Agree. I think setting to NULL should work : )

abergmann commented 2 years ago

CVE-2021-42523 was assigned to this issue.

hughsie commented 2 years ago

Eigh? Can you explain how a memory leak is a Information Disclosure? That's completely wrong. This should not be a CVE.