From 3ccb16052ae6096e4a0d5aede7af73f4ff4c1a82 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Fri, 15 May 2026 22:16:22 -0400 Subject: [PATCH] apply: plug leak on "patch too large" error In apply_patch(), we return immediately if read_patch_file() returns an error. Traditionally this was OK, since an error from strbuf_read() would restore the strbuf to its unallocated state. But since f1c0e3946e (apply: reject patches larger than ~1 GiB, 2022-10-25), we may also return an error if we successfully read the patch but it is too large. In this case we leak the strbuf contents when apply_patch() returns. You can see it in action by running t4141 under LSan with the EXPENSIVE prereq enabled. We can fix this in one of two places: 1. In read_patch_file(), we could release the buffer before returning the error, behaving more like a raw strbuf_read() call. 2. In apply_patch(), we can release the strbuf ourselves before returning. I picked the latter, since it future proofs us against read_patch_file() getting new error modes. We also have a cleanup label in that function already, so now our error handling at this spot matches the rest of the function (and all of the variables are initialized such that the rest of the cleanup is correctly a noop at this point). Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- apply.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apply.c b/apply.c index 4aa1694cfa..249248d4f2 100644 --- a/apply.c +++ b/apply.c @@ -4881,8 +4881,10 @@ static int apply_patch(struct apply_state *state, state->patch_input_file = filename; state->linenr = 1; - if (read_patch_file(&buf, fd) < 0) - return -128; + if (read_patch_file(&buf, fd) < 0) { + res = -128; + goto end; + } offset = 0; while (offset < buf.len) { struct patch *patch;