commit: 1bd62067167fdc045daea14089185a9b22463771 Author: Fabian Groffen <grobian <AT> gentoo <DOT> org> AuthorDate: Sat Apr 19 13:57:16 2025 +0000 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> CommitDate: Sat Apr 19 13:57:16 2025 +0000 URL: https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=1bd62067
qmanifest: properly free on error exit, Coverity 520181 Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org> qmanifest.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/qmanifest.c b/qmanifest.c index 555e3c7..bf08a61 100644 --- a/qmanifest.c +++ b/qmanifest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2024 Gentoo Foundation + * Copyright 2018-2025 Gentoo Foundation * Distributed under the terms of the GNU General Public License v2 * * Copyright 2018- Fabian Groffen - <[email protected]> @@ -929,7 +929,9 @@ verify_gpg_sig(const char *path, verify_msg **msgs) /* we only check/return the first signature */ if ((sig = vres->signatures) != NULL) { - ret = xmalloc(sizeof(gpg_sig)); + bool cleanup = false; + + ret = xcalloc(1, sizeof(gpg_sig)); if (sig->fpr != NULL) { snprintf(buf, sizeof(buf), @@ -984,24 +986,31 @@ verify_gpg_sig(const char *path, verify_msg **msgs) "used to verify the signature has been revoked"); break; case GPG_ERR_BAD_SIGNATURE: - free(ret); - ret = NULL; + cleanup = true; printf("the signature is invalid\n"); break; case GPG_ERR_NO_PUBKEY: - free(ret); - ret = NULL; + cleanup = true; printf("the signature could not be verified due to a " "missing key for:\n %s\n", buf); break; default: - free(ret); - ret = NULL; + cleanup = true; printf("there was some error which prevented the " "signature verification:\n %s: %s\n", buf, gpgme_strerror(sig->status)); break; } + + if (cleanup) { + free(ret->algo); + free(ret->fingerprint); + free(ret->timestamp); + free(ret->signer); + free(ret->pkfingerprint); + free(ret); + ret = NULL; + } } gpgme_data_release(out);
