[pkg-GD-devel] Bug#709074: libgd3: memory leaks in gdft.c

[Niels Thykier]

Package: libgd3
Severity: normal
Tags: upstream

cppcheck finds two memory leaks[1]:

[src/gdft.c:1540]: (error) Common realloc mistake: 'fullname' nulled but not freed upon failure
[src/gdft.c:478]: (error) Memory leak: a

These both occur only during memory allocation errors (i.e. malloc or
realloc fails), so it is unlikely to happen in practise (or if it did,
the application is probably not going to live that much longer).
Nevertheless, they should be fixed so they do not become copy-waste
mistakes.


Context for the first error:
"""
	a = (font_t *) gdMalloc (sizeof (font_t));
	if (!a) {
		return NULL;
	}

	a->fontlist = (char *) gdMalloc(b_font_list_len + 1);
	if (a->fontlist == NULL) {
                // leak of "a" happens here
		return "could not alloc full list of fonts";
	}
"""

For the realloc issue - that appears to be a re-occuring problem for
upstream to get this one right[2]:

"""
$ grep gdRealloc src/*
src/gd.c:               im->polyInts = (int *) gdRealloc (im->polyInts,
src/gdft.c:                             strex->xshow = gdRealloc(strex->xshow, xshow_alloc);
src/gdft.c:             fullname = gdRealloc (fullname,
[...]
src/gd_topal.c: cquantize->fserrors = gdRealloc(cquantize->fserrors, arraysize);
"""

~Niels

[1] NB that cppcheck does not recognise gd{Malloc,Calloc,Realloc,Free}
as malloc, calloc, realloc and free.  I worked around this by
replacing the gdX variant with a CPP define to the original C
function.

[2] In case you are not familiar with the realloc problem.

  realloc returns NULL on failure, but does *not* de-allocate the
  input memory.  Thus:

     a = realloc(a, x);

  will leak "a" if realloc fails.