Found using oss-fuzz
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
allocates memory and stores it in pk
Then, in most cases, memory gets freed.
But in the last case before returning, it remains unfreed.
Patch would be like
diff --git a/g10/mainproc.c b/g10/mainproc.c index 74c6e9ec3..6a0389de6 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2287,10 +2287,11 @@ check_sig_and_print (CTX c, kbnode_t node) } if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED) log_error (_("Can't check signature: %s\n"), gpg_strerror (rc)); + + free_public_key (pk); + pk = NULL; } return rc; }
Bug can be reproduced with sample
gpg --verify leak-63d8afd9fd5b9125dc068a508933f8c73b508d56