Hi, Currently in src/interfaces/ecpg/ecpglib/prepare.c we don't check the return value of replace_variables(). The proposed patch fixes this. The rest of the code looks OK to me.
-- Best regards, Aleksander Alekseev
From 7203fd683de5d6f056337d2da90253dc8e321992 Mon Sep 17 00:00:00 2001 From: Aleksander Alekseev <[email protected]> Date: Tue, 7 Oct 2025 16:52:19 +0300 Subject: [PATCH v1] ecpg: check return value of replace_variables() The function returns false if it fails to allocate memory, however the return value was not checked in the code. Correct this. Author: Aleksander Alekseev <[email protected]> Reviewed-by: TODO FIXME Discussion: TODO FIXME --- src/interfaces/ecpg/ecpglib/prepare.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/interfaces/ecpg/ecpglib/prepare.c b/src/interfaces/ecpg/ecpglib/prepare.c index 06f0135813b..4b1ae839506 100644 --- a/src/interfaces/ecpg/ecpglib/prepare.c +++ b/src/interfaces/ecpg/ecpglib/prepare.c @@ -200,7 +200,13 @@ prepare_common(int lineno, struct connection *con, const char *name, const char stmt->inlist = stmt->outlist = NULL; /* if we have C variables in our statement replace them with '?' */ - replace_variables(&(stmt->command), lineno); + if (!replace_variables(&(stmt->command), lineno)) + { + ecpg_free(stmt->command); + ecpg_free(stmt); + ecpg_free(this); + return false; + } /* add prepared statement to our list */ this->name = ecpg_strdup(name, lineno, NULL); -- 2.43.0
