On Tue, Dec 13, 2016 at 04:30:01PM +0100, Johannes Schindelin wrote: > + else { > + unsigned char head[20]; > + struct commit *head_commit; > + const char *head_message, *body; > + > + if (get_sha1("HEAD", head)) > + return error(_("need a HEAD to fixup")); > + if (!(head_commit = lookup_commit_reference(head))) > + return error(_("could not read HEAD")); > + if (!(head_message = get_commit_buffer(head_commit, NULL))) > + return error(_("could not read HEAD's commit message")); This get_commit_buffer() may allocate a fresh buffer... > + body = strstr(head_message, "\n\n"); > + if (!body) > + body = ""; > + else > + body = skip_blank_lines(body + 2); > + if (write_message(body, strlen(body), > + rebase_path_fixup_msg(), 0)) > + return error(_("cannot write '%s'"), > + rebase_path_fixup_msg()); ...and then this return leaks the result (the other code path hits unuse_commit_buffer(), and is fine). This leak was noticed by Coverity. It has a _ton_ of false positives across the whole project, but it sends out a mail with new ones every few days, which is usually short enough that I can process it in 30 seconds or so. I _think_ that email just goes to me and Stefan right now. You can add yourself at: https://scan.coverity.com/projects/git?tab=project_settings if you already have admin access to the project (which I think you (Dscho) do). I wonder if it would be helpful to send that output to the list. -Peff