From bcb6107f98d7b1edf687d7afd552a4528b7e673b Mon Sep 17 00:00:00 2001
From: jmaloy <jmaloy@redhat.com>
Date: Tue, 12 May 2020 21:15:13 +0100
Subject: [PATCH 2/7] Don't leak memory when reallocation fails.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: jmaloy <jmaloy@redhat.com>
Message-id: <20200512211514.1398384-2-jmaloy@redhat.com>
Patchwork-id: 96412
O-Subject: [RHEL-AV-8.2.1 qemu-kvm PATCH 1/2] Don't leak memory when reallocation fails.
Bugzilla: 1749737
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

From: Jindrich Novy <jnovy@redhat.com>

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
[ Marc-André - modified to use a temporary variable ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
(cherry picked from libslirp commit d171af3732a0610a25334b06b77fa547bd677918)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>

Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
 slirp/src/sbuf.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/slirp/src/sbuf.c b/slirp/src/sbuf.c
index abced48..0569c34 100644
--- a/slirp/src/sbuf.c
+++ b/slirp/src/sbuf.c
@@ -39,13 +39,16 @@ void sbreserve(struct sbuf *sb, int size)
     if (sb->sb_data) {
         /* Already alloced, realloc if necessary */
         if (sb->sb_datalen != size) {
-            sb->sb_wptr = sb->sb_rptr = sb->sb_data =
-                (char *)realloc(sb->sb_data, size);
+            char *new = realloc(sb->sb_data, size);
             sb->sb_cc = 0;
-            if (sb->sb_wptr)
+            if (new) {
+                sb->sb_data = sb->sb_wptr = sb->sb_rptr = new;
                 sb->sb_datalen = size;
-            else
+            } else {
+                free(sb->sb_data);
+                sb->sb_data = sb->sb_wptr = sb->sb_rptr = NULL;
                 sb->sb_datalen = 0;
+            }
         }
     } else {
         sb->sb_wptr = sb->sb_rptr = sb->sb_data = (char *)malloc(size);
-- 
1.8.3.1