Fix a few memleaks in TXT_DB.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)

diff --git a/apps/ca.c b/apps/ca.c
index 8329884612751f1ad73dd21cb6835788aeb9c8b9..e53695453a3570e1d829cb843b7787ff9aba62e7 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1836,10 +1836,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     }
 
     irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space");
-    for (i = 0; i < DB_NUMBER; i++) {
+    for (i = 0; i < DB_NUMBER; i++)
         irow[i] = row[i];
-        row[i] = NULL;
-    }
     irow[DB_NUMBER] = NULL;
 
     if (!TXT_DB_insert(db->db, irow)) {
@@ -1847,10 +1845,14 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
         goto end;
     }
+    irow = NULL;
     ok = 1;
  end:
-    for (i = 0; i < DB_NUMBER; i++)
-        OPENSSL_free(row[i]);
+    if (irow != NULL) {
+        for (i = 0; i < DB_NUMBER; i++)
+            OPENSSL_free(row[i]);
+        OPENSSL_free(irow);
+    }
 
     X509_NAME_free(CAname);
     X509_NAME_free(subject);

diff --git a/crypto/txt_db/txt_db.c b/crypto/txt_db/txt_db.c
index 14322309a7a19960dbd8ec42aa70971a66011109..cf932a52aa6525a390f7a3b7b40604be29b2e083 100644 (file)
--- a/crypto/txt_db/txt_db.c
+++ b/crypto/txt_db/txt_db.c
@@ -104,12 +104,15 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
         }
         *(p++) = '\0';
         if ((n != num) || (*f != '\0')) {
+            OPENSSL_free(pp);
             ret->error = DB_ERROR_WRONG_NUM_FIELDS;
             goto err;
         }
         pp[n] = p;
-        if (!sk_OPENSSL_PSTRING_push(ret->data, pp))
+        if (!sk_OPENSSL_PSTRING_push(ret->data, pp)) {
+            OPENSSL_free(pp);
             goto err;
+        }
     }
     BUF_MEM_free(buf);
     return ret;
@@ -148,7 +151,7 @@ int TXT_DB_create_index(TXT_DB *db, int field, int (*qual) (OPENSSL_STRING *),
                         OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC cmp)
 {
     LHASH_OF(OPENSSL_STRING) *idx;
-    OPENSSL_STRING *r;
+    OPENSSL_STRING *r, *k;
     int i, n;
 
     if (field >= db->num_fields) {
@@ -165,13 +168,18 @@ int TXT_DB_create_index(TXT_DB *db, int field, int (*qual) (OPENSSL_STRING *),
         r = sk_OPENSSL_PSTRING_value(db->data, i);
         if ((qual != NULL) && (qual(r) == 0))
             continue;
-        if ((r = lh_OPENSSL_STRING_insert(idx, r)) != NULL) {
+        if ((k = lh_OPENSSL_STRING_insert(idx, r)) != NULL) {
             db->error = DB_ERROR_INDEX_CLASH;
-            db->arg1 = sk_OPENSSL_PSTRING_find(db->data, r);
+            db->arg1 = sk_OPENSSL_PSTRING_find(db->data, k);
             db->arg2 = i;
             lh_OPENSSL_STRING_free(idx);
             return (0);
         }
+        if (lh_OPENSSL_STRING_retrieve(idx, r) == NULL) {
+            db->error = DB_ERROR_MALLOC;
+            lh_OPENSSL_STRING_free(idx);
+            return (0);
+        }
     }
     lh_OPENSSL_STRING_free(db->index[field]);
     db->index[field] = idx;
@@ -244,20 +252,29 @@ int TXT_DB_insert(TXT_DB *db, OPENSSL_STRING *row)
             }
         }
     }
-    /* We have passed the index checks, now just append and insert */
-    if (!sk_OPENSSL_PSTRING_push(db->data, row)) {
-        db->error = DB_ERROR_MALLOC;
-        goto err;
-    }
 
     for (i = 0; i < db->num_fields; i++) {
         if (db->index[i] != NULL) {
             if ((db->qual[i] != NULL) && (db->qual[i] (row) == 0))
                 continue;
             (void)lh_OPENSSL_STRING_insert(db->index[i], row);
+            if (lh_OPENSSL_STRING_retrieve(db->index[i], row) == NULL)
+                goto err1;
         }
     }
+    if (!sk_OPENSSL_PSTRING_push(db->data, row))
+        goto err1;
     return (1);
+
+ err1:
+    db->error = DB_ERROR_MALLOC;
+    while (i-- > 0) {
+        if (db->index[i] != NULL) {
+            if ((db->qual[i] != NULL) && (db->qual[i] (row) == 0))
+                continue;
+            (void)lh_OPENSSL_STRING_delete(db->index[i], row);
+        }
+    }
  err:
     return (0);
 }