Fix memory leaks

trufae · web-flow · commit 8c6084563d6f · 2025-11-24T22:23:12.000Z
diff --git a/libr/anal/dwarf_process.c b/libr/anal/dwarf_process.c
@@ -272,6 +272,10 @@ static st32 parse_type(Context *ctx, const ut64 offset, RStrBuf *strbuf, ut64 *s
 	}
 	if (visited && set_u_contains (*visited, offset)) {
 		R_LOG_WARN ("anal.dwarf.parse_type: infinite recursion detected");
+		if (root) {
+			set_u_free (*visited);
+			free (visited);
+		}
 		return -1;
 	}
 	set_u_add (*visited, offset);
@@ -483,6 +487,7 @@ static RAnalEnumCase *parse_enumerator(Context *ctx, ut64 idx, RAnalEnumCase *re
 		RBinDwarfAttrValue *value = &die->attr_values[i];
 		switch (die->attr_values[i].attr_name) {
 		case DW_AT_name:
+			free (name);
 			name = get_die_name (die);
 			if (!name) {
 				goto cleanup;
@@ -497,7 +502,10 @@ static RAnalEnumCase *parse_enumerator(Context *ctx, ut64 idx, RAnalEnumCase *re
 		}
 	}
 
-	result->name = name;
+	if (result->name != name) {
+		free (result->name);
+		result->name = name;
+	}
 	result->val = (int)val;
 	return result;
 cleanup:
@@ -616,7 +624,7 @@ static void parse_enum_type(Context *ctx, ut64 idx) {
 		base_type->type = r_strbuf_drain_nofree (&strbuf);
 	}
 
-	RAnalEnumCase cas;
+	RAnalEnumCase cas = {0};
 	if (die->has_children) {
 		int child_depth = 1; // Direct children of the node
 		size_t j;
@@ -634,6 +642,7 @@ static void parse_enum_type(Context *ctx, ut64 idx) {
 					enum_type_case_free (result, NULL);
 					goto cleanup;
 				}
+				cas.name = NULL;
 			}
 			if (child_die->has_children) {
 				child_depth++;
diff --git a/libr/anal/sign.c b/libr/anal/sign.c
@@ -1332,6 +1332,8 @@ static double matchBytes(RSignItem *a, RSignItem *b) {
 		}
 		if (a->bytes->mask) {
 			memcpy (combined_mask, a->bytes->mask, min_size);
+		} else {
+			memset (combined_mask, 0xff, min_size);
 		}
 		if (b->bytes->mask) {
 			int i;
diff --git a/libr/arch/p/arm/armass64.c b/libr/arch/p/arm/armass64.c
@@ -1618,7 +1618,7 @@ static bool parseOperands(char *str, ArmOp *op) {
 	int mem_opt = 0;
 	int msr_op_index = 0;
 	size_t index_bound = strcspn (t, "]");
-	if (!token) {
+	if (!t) {
 		return false;
 	}
 
@@ -1634,6 +1634,7 @@ static bool parseOperands(char *str, ArmOp *op) {
 		}
 		if (operand >= MAX_OPERANDS) {
 			R_LOG_ERROR ("Too many operands");
+			free (t);
 			return false;
 		}
 		op->operands[operand].type = ARM_NOTYPE;
@@ -1723,6 +1724,7 @@ static bool parseOperands(char *str, ArmOp *op) {
 				token++;
 			}
 			if (!*token || !isdigit ((unsigned char)*token)) {
+				free (t);
 				return false;
 			}
 			op->operands[operand].shift_amount = r_num_math (NULL, token);
@@ -1748,6 +1750,7 @@ static bool parseOperands(char *str, ArmOp *op) {
 			}
 			if (!*token || !isdigit ((unsigned char)*token)) {
 				if (present) {
+					free (t);
 					return false;
 				}
 				op->operands[operand].shift_amount = 0;
diff --git a/libr/arch/p/cosmac/pseudo.c b/libr/arch/p/cosmac/pseudo.c
@@ -94,6 +94,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 #endif
 	const char *op0 = buf;
 	if (!strcmp (op0, "ret") || !strcmp (op0, "sret")) {
+		free (buf);
 		return strdup ("return r0");
 	}
 	char *str = malloc (strlen (data) + 128);
diff --git a/libr/arch/p/x86_nz/pseudo.c b/libr/arch/p/x86_nz/pseudo.c
@@ -192,6 +192,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 	*w0 = *w1 = *w2 = *w3 = '\0';
 	if (strchr (data, '(')) {
 		// avoid double-pseudo calls
+		free (buf);
 		return NULL;
 	}
 	char *str = NULL;
@@ -378,7 +379,7 @@ static char *patch(RAsmPluginSession *aps, RAnalOp *aop, const char *op) {
 			R_LOG_ERROR ("Cant fit a nop in here");
 			return false;
 		}
-		char *hcmd = malloc ((size * 2) + 5);
+		hcmd = malloc ((size * 2) + 5);
 		if (!hcmd) {
 			return false;
 		}
diff --git a/libr/asm/parse.c b/libr/asm/parse.c
@@ -101,7 +101,9 @@ R_API char *r_asm_parse_immbase(RAsm *a, const char *_opstr, int base) {
 		}
 	}
 	r_strbuf_append (sb, last);
-	return r_strbuf_drain (sb);
+	char *result = r_strbuf_drain (sb);
+	free (opstr);
+	return result;
 }
 
 // TODO : make them internal?
diff --git a/libr/bin/format/elf/elf.c b/libr/bin/format/elf/elf.c
@@ -5054,6 +5054,7 @@ static RVecRBinElfSymbol *_load_additional_imported_symbols(ELFOBJ *eo, ImportIn
 		if (symbol->is_imported) {
 			if (limit > 0 && count++ > limit) {
 				R_LOG_WARN ("eo.limit reached for imports");
+				free (isym);
 				break;
 			}
 			RVecRBinElfSymbol_push_back (imports, symbol);
diff --git a/libr/bin/format/mach0/mach0.c b/libr/bin/format/mach0/mach0.c
@@ -3099,13 +3099,14 @@ static void parse_symbols(RBinFile *bf, struct MACH0_(obj_t) *mo, HtPP *symcache
 				sym->name = r_bin_name_new (symbol.name);
 			} else {
 				char *name = r_str_newf ("entry%u", (ut32)i);
-				sym->name = r_bin_name_new (symbol.name);
+				sym->name = r_bin_name_new (name);
 				free (name);
 			}
 			sym->type = symbol.type == R_BIN_MACH0_SYMBOL_TYPE_LOCAL? "LOCAL": "EXT";
 			sym->is_imported = symbol.is_imported;
 			sym->ordinal = ordinal++;
 			_enrich_symbol (bf, mo, symcache, sym);
+			free (symbol.name);
 		}
 	}
 
diff --git a/libr/bin/format/objc/mach0_classes.c b/libr/bin/format/objc/mach0_classes.c
@@ -331,9 +331,6 @@ static void get_ivar_list(RBinFile *bf, RBinClass *klass, mach0_ut p) {
 			return;
 		}
 		field = R_NEW0 (RBinField);
-		if (!field) {
-			break;
-		}
 		memset (&i, '\0', sizeof (struct MACH0_(SIVar)));
 		if (r + left < r || r + sizeof (struct MACH0_(SIVar)) < r) {
 			goto error;
@@ -452,6 +449,8 @@ static void get_ivar_list(RBinFile *bf, RBinClass *klass, mach0_ut p) {
 				field = NULL;
 			} else {
 				R_LOG_WARN ("field name is empty");
+				r_bin_field_free (field);
+				field = NULL;
 			}
 		} else {
 			R_LOG_DEBUG ("va2pa error");
@@ -462,16 +461,14 @@ static void get_ivar_list(RBinFile *bf, RBinClass *klass, mach0_ut p) {
 	}
 	r_list_sort (klass->fields, sort_by_offset);
 	RBinField *isa = R_NEW0 (RBinField);
-	if (isa) {
-		isa->name = r_bin_name_new ("isa");
-		isa->size = sizeof (mach0_ut);
-		isa->type = r_bin_name_new ("struct objc_class *");
-		// TODO r_bin_name_demangled (isa->type, "ObjC.Class*");
-		isa->kind = R_BIN_FIELD_KIND_VARIABLE;
-		isa->vaddr = 0;
-		isa->offset = 0;
-		r_list_prepend (klass->fields, isa);
-	}
+	isa->name = r_bin_name_new ("isa");
+	isa->size = sizeof (mach0_ut);
+	isa->type = r_bin_name_new ("struct objc_class *");
+	// TODO r_bin_name_demangled (isa->type, "ObjC.Class*");
+	isa->kind = R_BIN_FIELD_KIND_VARIABLE;
+	isa->vaddr = 0;
+	isa->offset = 0;
+	r_list_prepend (klass->fields, isa);
 	return;
 error:
 	r_bin_field_free (field);
@@ -530,10 +527,7 @@ static void get_objc_property_list(RBinFile *bf, RBinClass *klass, mach0_ut p) {
 			return;
 		}
 
-		if (!(property = R_NEW0 (RBinField))) {
-			// retain just for debug
-			return;
-		}
+		property = R_NEW0 (RBinField);
 
 		memset (&op, '\0', sizeof (struct MACH0_(SObjcProperty)));
 
@@ -767,10 +761,6 @@ static void get_method_list(RBinFile *bf, RBinClass *klass, const char *class_na
 		}
 
 		method = R_NEW0 (RBinSymbol);
-		if (!method) {
-			// retain just for debug
-			return;
-		}
 		struct MACH0_(SMethod) m = {0};
 		if (r + left < r || r + read_size < r) {
 			goto error;
@@ -1659,9 +1649,6 @@ static void parse_type(RBinFile *bf, RList *list, SwiftType st, HtUP *symbols_ht
 				break;
 			}
 			RBinField *field = R_NEW0 (RBinField);
-			if (!field) {
-				break;
-			}
 			ut64 field_name_addr = st.fieldmd.addr + (d * 4) + st.fieldmd_data[d];
 			ut64 field_type_addr = st.fieldmd.addr + (d * 4) + st.fieldmd_data[d - 1] - 4;
 			ut64 field_method_addr = field_name_addr;
diff --git a/libr/bin/mangling/cxx/cp-demangle.c b/libr/bin/mangling/cxx/cp-demangle.c
@@ -4674,6 +4674,7 @@ d_print_comp_inner (struct d_print_info *dpi, int options,
 	struct d_print_mod adpm[4];
 	unsigned int i;
 	struct d_print_template dpt;
+	int is_template;
 
 	/* Pass the name down to the type so that it can be printed in
 	   the right place for the type.  We also have to pass down
@@ -4747,7 +4748,8 @@ d_print_comp_inner (struct d_print_info *dpi, int options,
 
 	/* If typed_name is a template, then it applies to the
 	   function type as well.  */
-	if (typed_name->type == DEMANGLE_COMPONENT_TEMPLATE)
+	is_template = typed_name->type == DEMANGLE_COMPONENT_TEMPLATE;
+	if (is_template)
 	  {
 	    dpt.next = dpi->templates;
 	    dpi->templates = &dpt;
@@ -4756,7 +4758,7 @@ d_print_comp_inner (struct d_print_info *dpi, int options,
 
 	d_print_comp (dpi, options, d_right (dc));
 
-	if (typed_name->type == DEMANGLE_COMPONENT_TEMPLATE)
+	if (is_template)
 	  dpi->templates = dpt.next;
 
 	/* If the modifiers didn't get printed by the type, print them
diff --git a/libr/bin/mangling/objc.c b/libr/bin/mangling/objc.c
@@ -79,17 +79,14 @@ R_API char *r_bin_demangle_objc(RBinFile *bf, const char *sym) {
 	}
 	if (sym[0] == '_' && sym[1] && sym[2] == '_') { // gnu style
 		free (clas);
+		free (name);
 		clas = strdup (sym + 3);
 		args = strstr (clas, "__");
 		if (!args) {
 			free (clas);
-			if (name != clas) {
-				free (name);
-			}
 			return NULL;
 		}
 		*args = 0;
-		free (name);
 		name = strdup (args + 2);
 		if (!name) {
 			free (clas);
diff --git a/libr/bin/p/bin_dyldcache.c b/libr/bin/p/bin_dyldcache.c
@@ -598,6 +598,7 @@ static void create_cache_bins(RBinFile *bf, RDyldCache *cache) {
 	if (cache->images_are_global) {
 		img = read_cache_images (cache->buf, cache->hdr, 0);
 		if (!img) {
+			free (deps);
 			return;
 		}
 	}
diff --git a/libr/core/cmd.c b/libr/core/cmd.c
@@ -1034,6 +1034,7 @@ static void cmd_remote(RCore *core, const char *input, bool retry) {
 		const size_t buf_size = 1024;
 		char *buf = calloc (buf_size, 1);
 		if (!buf) {
+			free (host);
 			return;
 		}
 		void *bed = r_cons_sleep_begin (core->cons);
@@ -4970,6 +4971,7 @@ repeat:;
 				if (R_STR_ISNOTEMPTY (n)) {
 					ut64 v = r_num_math (core->num, n);
 					if (core->num->nc.errors == 0) {
+						free (k);
 						r_core_seek (core, v, true);
 						cmd_tmpseek = core->tmpseek = true;
 						goto fuji;
diff --git a/libr/core/vslides.c b/libr/core/vslides.c
@@ -124,14 +124,15 @@ static void render(SlidesState *state, RCore *core, RList *list, int mode, int p
 		char *prefix = r_str_pad (NULL, 0, ' ', w);
 		char *no = r_str_prefix_all (o2, prefix);
 		free (prefix);
-		free (o);
 		free (o2);
+		free (o);
 		o = no;
 		r_cons_print (cons, o);
 	} else {
 		char *no = r_str_ansi_crop (o, sx, sy, w, h);
 		r_cons_print (cons, no);
 		free (no);
+		o = NULL;
 	}
 	free (o);
 }
diff --git a/libr/debug/p/native/linux/linux_debug.c b/libr/debug/p/native/linux/linux_debug.c
@@ -854,6 +854,8 @@ RList *linux_pid_list(int pid, RList *list) {
 		// Unless pid 0 is requested, only add the requested pid and it's child processes
 		if (0 == pid || i == pid || pid_info->ppid == pid) {
 			r_list_append (list, pid_info);
+		} else {
+			r_debug_pid_free (pid_info);
 		}
 	}
 	closedir (dh);
diff --git a/libr/flag/flag.c b/libr/flag/flag.c
@@ -830,6 +830,7 @@ R_API RFlagItem *r_flag_set(RFlag *f, const char *name, ut64 addr, ut32 size) {
 	// this should never happen because the name is filtered before..
 	if (!r_name_check (itemname)) {
 		R_LOG_ERROR ("Invalid flag name '%s'", name);
+		free (itemname);
 		return NULL;
 	}
 
diff --git a/libr/io/io_cache.c b/libr/io/io_cache.c
@@ -4,9 +4,10 @@
 
 static int _ci_start_cmp_cb(void *incoming, void *in, void *user) {
 	RIOCacheItem *incoming_ci = (RIOCacheItem *)incoming, *in_ci = (RIOCacheItem *)in;
-	if (R_UNLIKELY (!in_ci->tree_itv)) {
+	if (R_UNLIKELY (!in_ci->tree_itv || !incoming_ci->tree_itv)) {
 		R_LOG_ERROR ("io cache tree corrupted");
 		r_sys_backtrace ();
+		return 0;
 	}
 	if (incoming_ci->tree_itv->addr < in_ci->tree_itv->addr) {
 		return -1;
@@ -309,13 +310,15 @@ R_API int r_io_cache_invalidate(RIO *io, ut64 from, ut64 to, bool many) {
 					ci->data = cidata;
 				} else {
 					R_LOG_WARN ("first realloc failed");
+					_io_cache_item_free (_ci);
 					continue;
 				}
 				ut8 *ciodata = realloc (ci->odata, (size_t)r_itv_size (ci->itv));
 				if (ciodata) {
 					ci->odata = ciodata;
 				} else {
 					R_LOG_WARN ("second realloc failed");
+					_io_cache_item_free (_ci);
 					continue;
 				}
 				if (ci->tree_itv) {
diff --git a/libr/main/radare2.c b/libr/main/radare2.c
@@ -386,6 +386,8 @@ static int main_print_var(const char *var_name) {
 	free (rcfile);
 	free (incdir);
 	free (libdir);
+	free (bindir);
+	free (mandir);
 	free (confighome);
 	free (historyhome);
 	free (datahome);
diff --git a/libr/socket/socket_http_server.c b/libr/socket/socket_http_server.c
@@ -104,6 +104,7 @@ R_API RSocketHTTPRequest *r_socket_http_accept(RSocket *s, RSocketHTTPOptions *s
 		if (content_length >= ST32_MAX) {
 			r_socket_http_close (hr);
 			r_socket_free (hr->s);
+			free (hr);
 			R_LOG_ERROR ("Could not allocate hr data");
 			return NULL;
 		}
diff --git a/libr/util/asn1.c b/libr/util/asn1.c
@@ -143,6 +143,7 @@ R_API RASN1Object *r_asn1_object_parse(const ut8 *buffer_base, const ut8 *buffer
 		}
 		ut32 count = asn1_count_objects (object->sector, object->length);
 		if (count == -1) {
+			free (object);
 			return NULL;
 		}
 		if (count > 0) {
@@ -181,6 +182,7 @@ R_API RAsn1 *r_asn1_new(const ut8 *buffer, int length, int fmtmode) {
 	}
 	a->root = r_asn1_object_parse (buffer, buffer, length, fmtmode);
 	if (a->root == NULL) {
+		r_asn1_free (a);
 		return NULL;
 	}
 	if (fmtmode == 'j') {
diff --git a/libr/util/charset.c b/libr/util/charset.c
@@ -215,6 +215,7 @@ R_API size_t r_charset_encode_str(RCharset *rc, ut8 *out, size_t out_len, const
 		if (res) {
 			size_t reslen = strlen (res);
 			if (reslen >= o_end - o) {
+				free (res);
 				break;
 			}
 			fine = true;
diff --git a/libr/util/print.c b/libr/util/print.c
diff --git a/libr/util/str.c b/libr/util/str.c
diff --git a/shlr/java/class.c b/shlr/java/class.c
diff --git a/shlr/winkd/winkd.c b/shlr/winkd/winkd.c

Original file line number	Diff line number	Diff line change
`@@ -1332,6 +1332,8 @@ static double matchBytes(RSignItem a, RSignItem b) {`
`1332`	`1332`	`}`
`1333`	`1333`	`if (a->bytes->mask) {`
`1334`	`1334`	`memcpy (combined_mask, a->bytes->mask, min_size);`
	`1335`	`+ } else {`
	`1336`	`+ memset (combined_mask, 0xff, min_size);`
`1335`	`1337`	`}`
`1336`	`1338`	`if (b->bytes->mask) {`
`1337`	`1339`	`int i;`
Original file line number	Diff line number	Diff line change
`@@ -1618,7 +1618,7 @@ static bool parseOperands(char str, ArmOp op) {`
`1618`	`1618`	`int mem_opt = 0;`
`1619`	`1619`	`int msr_op_index = 0;`
`1620`	`1620`	`size_t index_bound = strcspn (t, "]");`
`1621`		`- if (!token) {`
	`1621`	`+ if (!t) {`
`1622`	`1622`	`return false;`
`1623`	`1623`	`}`
`1624`	`1624`
`@@ -1634,6 +1634,7 @@ static bool parseOperands(char str, ArmOp op) {`
`1634`	`1634`	`}`
`1635`	`1635`	`if (operand >= MAX_OPERANDS) {`
`1636`	`1636`	`R_LOG_ERROR ("Too many operands");`
	`1637`	`+ free (t);`
`1637`	`1638`	`return false;`
`1638`	`1639`	`}`
`1639`	`1640`	`op->operands[operand].type = ARM_NOTYPE;`
`@@ -1723,6 +1724,7 @@ static bool parseOperands(char str, ArmOp op) {`
`1723`	`1724`	`token++;`
`1724`	`1725`	`}`
`1725`	`1726`	`if (!token \|\| !isdigit ((unsigned char)token)) {`
	`1727`	`+ free (t);`
`1726`	`1728`	`return false;`
`1727`	`1729`	`}`
`1728`	`1730`	`op->operands[operand].shift_amount = r_num_math (NULL, token);`
`@@ -1748,6 +1750,7 @@ static bool parseOperands(char str, ArmOp op) {`
`1748`	`1750`	`}`
`1749`	`1751`	`if (!token \|\| !isdigit ((unsigned char)token)) {`
`1750`	`1752`	`if (present) {`
	`1753`	`+ free (t);`
`1751`	`1754`	`return false;`
`1752`	`1755`	`}`
`1753`	`1756`	`op->operands[operand].shift_amount = 0;`
Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,7 @@ static char parse(RAsmPluginSession aps, const char *data) {`
`94`	`94`	`#endif`
`95`	`95`	`const char *op0 = buf;`
`96`	`96`	`if (!strcmp (op0, "ret") \|\| !strcmp (op0, "sret")) {`
	`97`	`+ free (buf);`
`97`	`98`	`return strdup ("return r0");`
`98`	`99`	`}`
`99`	`100`	`char *str = malloc (strlen (data) + 128);`
Original file line number	Diff line number	Diff line change
`@@ -192,6 +192,7 @@ static char parse(RAsmPluginSession aps, const char *data) {`
`192`	`192`	`w0 = w1 = w2 = w3 = '\0';`
`193`	`193`	`if (strchr (data, '(')) {`
`194`	`194`	`// avoid double-pseudo calls`
	`195`	`+ free (buf);`
`195`	`196`	`return NULL;`
`196`	`197`	`}`
`197`	`198`	`char *str = NULL;`
`@@ -378,7 +379,7 @@ static char patch(RAsmPluginSession aps, RAnalOp aop, const char op) {`
`378`	`379`	`R_LOG_ERROR ("Cant fit a nop in here");`
`379`	`380`	`return false;`
`380`	`381`	`}`
`381`		`- char hcmd = malloc ((size 2) + 5);`
	`382`	`+ hcmd = malloc ((size * 2) + 5);`
`382`	`383`	`if (!hcmd) {`
`383`	`384`	`return false;`
`384`	`385`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,9 @@ R_API char r_asm_parse_immbase(RAsm a, const char *_opstr, int base) {`
`101`	`101`	`}`
`102`	`102`	`}`
`103`	`103`	`r_strbuf_append (sb, last);`
`104`		`- return r_strbuf_drain (sb);`
	`104`	`+ char *result = r_strbuf_drain (sb);`
	`105`	`+ free (opstr);`
	`106`	`+ return result;`
`105`	`107`	`}`
`106`	`108`
`107`	`109`	`// TODO : make them internal?`
Original file line number	Diff line number	Diff line change
`@@ -5054,6 +5054,7 @@ static RVecRBinElfSymbol _load_additional_imported_symbols(ELFOBJ eo, ImportIn`
`5054`	`5054`	`if (symbol->is_imported) {`
`5055`	`5055`	`if (limit > 0 && count++ > limit) {`
`5056`	`5056`	`R_LOG_WARN ("eo.limit reached for imports");`
	`5057`	`+ free (isym);`
`5057`	`5058`	`break;`
`5058`	`5059`	`}`
`5059`	`5060`	`RVecRBinElfSymbol_push_back (imports, symbol);`
Original file line number	Diff line number	Diff line change
`@@ -3099,13 +3099,14 @@ static void parse_symbols(RBinFile bf, struct MACH0_(obj_t) mo, HtPP *symcache`
`3099`	`3099`	`sym->name = r_bin_name_new (symbol.name);`
`3100`	`3100`	`} else {`
`3101`	`3101`	`char *name = r_str_newf ("entry%u", (ut32)i);`
`3102`		`- sym->name = r_bin_name_new (symbol.name);`
	`3102`	`+ sym->name = r_bin_name_new (name);`
`3103`	`3103`	`free (name);`
`3104`	`3104`	`}`
`3105`	`3105`	`sym->type = symbol.type == R_BIN_MACH0_SYMBOL_TYPE_LOCAL? "LOCAL": "EXT";`
`3106`	`3106`	`sym->is_imported = symbol.is_imported;`
`3107`	`3107`	`sym->ordinal = ordinal++;`
`3108`	`3108`	`_enrich_symbol (bf, mo, symcache, sym);`
	`3109`	`+ free (symbol.name);`
`3109`	`3110`	`}`
`3110`	`3111`	`}`
`3111`	`3112`