From f30df350a2dc523e316d5c525dfd51a8b51ba7b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Deuc=D0=B5?= <shurd@sasktel.net>
Date: Thu, 8 Feb 2024 11:40:25 -0500
Subject: [PATCH] Fix memory leak on realloc failure in xp_aprintf_next()

The caller of this function must clobber the passed in pointer,
and we're returning NULL meaning we would be overwriting the pointer
to the allocation.
---
 src/xpdev/xpprintf.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/xpdev/xpprintf.c b/src/xpdev/xpprintf.c
index 1d387301c7..34ef165b8e 100644
--- a/src/xpdev/xpprintf.c
+++ b/src/xpdev/xpprintf.c
@@ -388,8 +388,10 @@ char* xp_asprintf_next(char *format, int type, ...)
 			 */
 			offset2=p-format;
 			newbuf=(char *)realloc(format, format_len+i-1 /* -1 for the '*' that's already there */);
-			if(newbuf==NULL)
+			if(newbuf==NULL) {
+				free(format);
 				return(NULL);
+			}
 			format=newbuf;
 			p=format+offset2;
 			/*
@@ -427,8 +429,10 @@ char* xp_asprintf_next(char *format, int type, ...)
 				 */
 				offset2=p-format;
 				newbuf=(char *)realloc(format, format_len+i-1 /* -1 for the '*' that's already there */);
-				if(newbuf==NULL)
+				if(newbuf==NULL) {
+					free(format);
 					return(NULL);
+				}
 				format=newbuf;
 				p=format+offset2;
 				/*
@@ -1230,6 +1234,7 @@ char* xp_asprintf_next(char *format, int type, ...)
 			newbuf=(char *)realloc(format, format_len-this_format_len+j);
 			if(newbuf==NULL) {
 				FREE_AND_NULL(entry);
+				free(format);
 				return(NULL);
 			}
 			format=newbuf;
-- 
GitLab