From: Willy Tarreau <w@1wt.eu>
Date: Mon, 11 May 2026 13:04:19 +0000 (+0200)
Subject: BUG/MINOR: tools: fix memory leak in env_expand() error path
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=0995c914bd6406264e24b44278bbc806c43ba67c;p=haproxy.git

BUG/MINOR: tools: fix memory leak in env_expand() error path

When my_realloc2() fails in env_expand(), the code jumps to 'leave:' and
returns NULL, but the original input 'in' is never freed (it's only freed
at line 4919 in the success case). Given that callers typically pass it
the direct return of strdup(), it looks like it is expected to always be
freed. This can be backported everywhere.
---

diff --git a/src/tools.c b/src/tools.c
index 268951629..23a865a8c 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -4900,8 +4900,10 @@ char *env_expand(char *in)
 		}
 
 		out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1);
-		if (!out)
+		if (!out) {
+			free(in);
 			goto leave;
+		}
 
 		if (txt_end > txt_beg) {
 			memcpy(out + out_len, txt_beg, txt_end - txt_beg);