1324 _cairo_truetype_read_font_name (cairo_scaled_font_t *scaled_font, loop_start: 1365 for (i = 0; i < be16_to_cpu(name->num_records); i++) { 1370 if (be16_to_cpu (record->name) == 4) { 1371 font_name = malloc (be16_to_cpu(record->length) + 1); 1382 if (be16_to_cpu (record->name) == 6) { 1383 ps_name = malloc (be16_to_cpu(record->length) + 1); 1394 if (font_name && ps_name) 1395 break; 1396 } 1397 } logic: 1. enter loop_start 1365, i=0 2. cond 1370 take true path 3. alloc 1371 font_name 4. cond 1382 take false path 5. cond 1394 take false path 6. loop 1397 go to loop_start 7. cond 1370 take true path 8. leak 1371 font_name from step 3 9. alloc 1371 font_name 10. cond 1382 take true path 11. alloc 1383 ps_name 12. cond 1394 take true path exit loop A similar path can be found where you leak ps_name

other paths are possible including one where an alloc failure for ps_name results in font_name leaking or vice versa.

Comment on attachment 391614 [details] [diff] [review] updated reviewer Review of attachment 391614 [details] [diff] [review]: ----------------------------------------------------------------- This seems unlikely to happen in practice and the work should be done upstream if needed. Since it's found with a static checker we can always rediscover this.