From 04a44af16cc71125de2dd590c258bcf7e800e8db Mon Sep 17 00:00:00 2001 From: Edouard Schweisguth Date: Fri, 12 Jun 2026 16:44:01 +0000 Subject: [PATCH] textfilecontent54 probe: fix memory leaks in process_file Found by fuzzing process_file() under ASan/LSan. - create_item()'s returned object was passed to SEXP_list_add(), which takes its own reference, but the caller's reference was never released -> every collected item leaked. Free our reference after adding. - The items accumulator list itself was never freed on return. Free it at cleanup; collected items are owned by the probe result object, so this only releases the list's references (and frees any uncollected items). --- .../probes/independent/textfilecontent54_probe.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/OVAL/probes/independent/textfilecontent54_probe.c b/src/OVAL/probes/independent/textfilecontent54_probe.c index 5fcc00f005..24d766b918 100644 --- a/src/OVAL/probes/independent/textfilecontent54_probe.c +++ b/src/OVAL/probes/independent/textfilecontent54_probe.c @@ -229,10 +229,15 @@ static int process_file(const char *prefix, const char *path, const char *file, if (substr_cnt > 0) { int k; + SEXP_t *item; instance_count++; - SEXP_list_add(items, create_item(path, file, pfd->pattern, - instance_count, substrs, substr_cnt, over)); + item = create_item(path, file, pfd->pattern, + instance_count, substrs, substr_cnt, over); + /* SEXP_list_add() takes its own reference, so release ours + * to avoid leaking every created item. */ + SEXP_list_add(items, item); + SEXP_free(item); for (k = 0; k < substr_cnt; ++k) free(substrs[k]); @@ -278,6 +283,10 @@ static int process_file(const char *prefix, const char *path, const char *file, if (whole_path != NULL) free(whole_path); free(whole_path_with_prefix); + /* Free the accumulator list. Collected items are owned by the probe + * result object; this releases the list's own references (and frees any + * items that were created but not collected). */ + SEXP_free(items); /* coverity[leaked_storage] - substrs is not leaked */ return ret;