From 3932737df1a022f8f207db9874194600296ed437 Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Mon, 9 Sep 2013 22:50:41 +1000
Subject: [PATCH] Fix memory leaks in libio on allocation failure

---
 ChangeLog          | 4 ++++
 NEWS               | 2 +-
 libio/memstream.c  | 5 ++++-
 libio/wmemstream.c | 6 ++++--
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 306dda7..30c6a39 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 2013-09-09  Allan McRae  <allan@archlinux.org>
 
+	[BZ #15892]
+	* libio/memstream.c (open_memstream): Fix memory leak.
+	* libio/wmemstream.c (open_wmemstream): Likewise.
+
 	[BZ #15895]
 	* nscd/netgroupcache.c: Fix nesting of ifdefs.
 
diff --git a/NEWS b/NEWS
index 5ade03c..72c10e6 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.19
 * The following bugs are resolved with this release:
 
   14155, 14699, 15427, 15522, 15531, 15532, 15736, 15749, 15797, 15844,
-  15867, 15886, 15887, 15890, 15895, 15897, 15905, 15909, 15921.
+  15867, 15886, 15887, 15890, 15892, 15895, 15897, 15905, 15909, 15921.
 
 * CVE-2013-4237 The readdir_r function could write more than NAME_MAX bytes
   to the d_name member of struct dirent, or omit the terminating NUL
diff --git a/libio/memstream.c b/libio/memstream.c
index 34534e2..3cb1bd7 100644
--- a/libio/memstream.c
+++ b/libio/memstream.c
@@ -84,7 +84,10 @@ open_memstream (bufloc, sizeloc)
 
   buf = calloc (1, _IO_BUFSIZ);
   if (buf == NULL)
-    return NULL;
+    {
+      free (new_f);
+      return NULL;
+    }
   _IO_init (&new_f->fp._sf._sbf._f, 0);
   _IO_JUMPS ((struct _IO_FILE_plus *) &new_f->fp._sf._sbf) = &_IO_mem_jumps;
   _IO_str_init_static_internal (&new_f->fp._sf, buf, _IO_BUFSIZ, buf);
diff --git a/libio/wmemstream.c b/libio/wmemstream.c
index 65738d4..fd7fe44 100644
--- a/libio/wmemstream.c
+++ b/libio/wmemstream.c
@@ -85,8 +85,10 @@ open_wmemstream (bufloc, sizeloc)
 
   buf = calloc (1, _IO_BUFSIZ);
   if (buf == NULL)
-    return NULL;
-
+    {
+      free (new_f);
+      return NULL;
+    }
   _IO_no_init (&new_f->fp._sf._sbf._f, 0, 0, &new_f->wd, &_IO_wmem_jumps);
   _IO_fwide (&new_f->fp._sf._sbf._f, 1);
   _IO_wstr_init_static (&new_f->fp._sf._sbf._f, buf,
-- 
2.7.4