When one of the first allocations of cil_binary_create_allocated_pdb() fails, the exit label dereferences the items of array perm_value_to_cil even though it could be still NULL. This issue has been found using clang's static analyzer: https://327-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-08-05-203459-6149-1/report-febf85.html#EndPath Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> --- libsepol/cil/src/cil_binary.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 77ffc36f20ff..c882d5b74226 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -5043,11 +5043,13 @@ exit: hashtab_destroy(avrulex_ioctl_table); free(type_value_to_cil); free(class_value_to_cil); - /* Range is because libsepol values start at 1. */ - for (i=1; i < db->num_classes+1; i++) { - free(perm_value_to_cil[i]); + if (perm_value_to_cil != NULL) { + /* Range is because libsepol values start at 1. */ + for (i=1; i < db->num_classes+1; i++) { + free(perm_value_to_cil[i]); + } + free(perm_value_to_cil); } - free(perm_value_to_cil); cil_list_destroy(&neverallows, CIL_FALSE); return rc; -- 2.22.0
