qdl: fix resource leaks in programmer image decoding

igoropaniuk · igoropaniuk · commit 74fe0a07a683 · 2026-02-13T10:43:15.000+01:00
decode_programmer_archive() allocates images[id].ptr (via malloc)
and images[id].name (via strdup) while iterating CPIO entries. If
a later entry fails validation, all previously allocated entries
leak because the function returns -1 immediately.

The same leak exists in decode_sahara_config() and its callers:
decode_programmer() doesn't clean up partially-populated images on
error, and qdl_flash() never frees the sahara_images array even on
the normal exit path.

Rather than restructuring the parser loop with break/cleanup logic,
fix this at the ownership level:

- Introduce sahara_images_free() as a reusable cleanup helper.
  free(NULL) is well-defined per C standard, so no NULL guards
  are needed before calling free().

- Drop 'const' from sahara_image.name: the struct always owns the
  allocation (via strdup), so const is misleading and forces casts
  when freeing. This follows the principle that the owner of a
  heap allocation should hold a non-const pointer to it.

- Call sahara_images_free() in decode_programmer() error paths and
  in qdl_flash() cleanup, keeping decode_programmer_archive()
  itself simple with its existing early returns.

Signed-off-by: Igor Opaniuk &lt;igor.opaniuk@oss.qualcomm.com&gt;
diff --git a/qdl.c b/qdl.c
@@ -395,7 +395,11 @@ static int decode_programmer(char *s, struct sahara_image *images)
 			return -1;
 
 		ret = decode_programmer_archive(&archive, images);
-		if (ret < 0 || ret == 1)
+		if (ret < 0) {
+			sahara_images_free(images, MAPPING_SZ);
+			return ret;
+		}
+		if (ret == 1)
 			return ret;
 
 		ret = decode_sahara_config(&archive, images);
@@ -747,6 +751,9 @@ static int qdl_flash(int argc, char **argv)
 		vip_gen_finalize(qdl);
 
 	qdl_close(qdl);
+
+	sahara_images_free(sahara_images, MAPPING_SZ);
+
 	free_programs();
 	free_patches();
 
diff --git a/qdl.h b/qdl.h
@@ -79,7 +79,7 @@ struct qdl_device {
 };
 
 struct sahara_image {
-	const char *name;
+	char *name;
 	void *ptr;
 	size_t len;
 };
@@ -113,6 +113,7 @@ int sahara_run(struct qdl_device *qdl, const struct sahara_image *images,
 	       const char *ramdump_path,
 	       const char *ramdump_filter);
 int load_sahara_image(const char *filename, struct sahara_image *image);
+void sahara_images_free(struct sahara_image *images, size_t count);
 void print_hex_dump(const char *prefix, const void *buf, size_t len);
 unsigned int attr_as_unsigned(xmlNode *node, const char *attr, int *errors);
 const char *attr_as_string(xmlNode *node, const char *attr, int *errors);
diff --git a/util.c b/util.c
@@ -266,3 +266,12 @@ int load_sahara_image(const char *filename, struct sahara_image *image)
 	close(fd);
 	return -1;
 }
+
+void sahara_images_free(struct sahara_image *images, size_t count)
+{
+	for (size_t i = 0; i < count; i++) {
+		free(images[i].name);
+		free(images[i].ptr);
+		images[i] = (struct sahara_image){};
+	}
+}
