If str_read() fails to read the next entry it has already allocated memory for it. Free the passed pointer also in the error case. Reported-by: oss-fuzz (issue 60567) Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libsepol/src/avtab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 99fdaa87..5c76fe12 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -857,7 +857,7 @@ static int filename_trans_read_one(avtab_t *a, void *fp) len = le32_to_cpu(*buf); rc = str_read(&name, fp, len); if (rc < 0) - return SEPOL_ERR; + goto err; /* read stype, ttype, tclass and otype */ rc = next_entry(buf, fp, sizeof(uint32_t) * 4); @@ -898,7 +898,7 @@ static int filename_trans_comp_read_one(avtab_t *a, void *fp) len = le32_to_cpu(*buf); rc = str_read(&name, fp, len); if (rc < 0) - return SEPOL_ERR; + goto err; /* read ttype, tclass, ndatum */ rc = next_entry(buf, fp, sizeof(uint32_t) * 3); -- 2.40.1
