From f67de332a18010e7f54f0d276c0ef7ee304327e1 Mon Sep 17 00:00:00 2001
From: Yoichi NAKAYAMA <yoichi.nakayama@gmail.com>
Date: Tue, 19 Jun 2012 19:13:46 +0900
Subject: [PATCH] Fix memory leak and access violation in
 UpnpSendAction(Ex)Async.

Free buffers after malloc or ixmlPrintNode failure.
Free Param->Header before destructing Param.
(cherry picked from commit d9e90499b7ead7e9fae30b9c248b343ec6d9b273)
---
 ChangeLog              | 7 +++++++
 upnp/src/api/upnpapi.c | 6 +++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 34c5c6f..6b783c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -332,6 +332,13 @@ Version 1.8.0
 Version 1.6.18
 *******************************************************************************
 
+2012-06-19 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
+
+	Fix memory leak and access violation in UpnpSendAction(Ex)Async.
+
+	Free buffers after malloc or ixmlPrintNode failure.
+	Free Param->Header before destructing Param.
+
 2012-05-25 Anoop Mohan <anoop.anoop(at)gmail.com>
 
 	This patch fixes a bug in non blocking connect call where the sock
diff --git a/upnp/src/api/upnpapi.c b/upnp/src/api/upnpapi.c
index 2a24b52..375adc8 100644
--- a/upnp/src/api/upnpapi.c
+++ b/upnp/src/api/upnpapi.c
@@ -2769,6 +2769,7 @@ int UpnpSendActionAsync(
         malloc( sizeof( struct UpnpNonblockParam ) );
 
     if( Param == NULL ) {
+        ixmlFreeDOMString( tmpStr );
         return UPNP_E_OUTOF_MEMORY;
     }
     memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
@@ -2862,6 +2863,7 @@ int UpnpSendActionExAsync(
 
     tmpStr = ixmlPrintNode( ( IXML_Node * ) Act );
     if( tmpStr == NULL ) {
+        ixmlFreeDOMString( headerStr );
         return UPNP_E_INVALID_ACTION;
     }
 
@@ -2869,6 +2871,8 @@ int UpnpSendActionExAsync(
         ( struct UpnpNonblockParam * )
         malloc( sizeof( struct UpnpNonblockParam ) );
     if( Param == NULL ) {
+        ixmlFreeDOMString( tmpStr );
+        ixmlFreeDOMString( headerStr );
         return UPNP_E_OUTOF_MEMORY;
     }
     memset( Param, 0, sizeof( struct UpnpNonblockParam ) );
@@ -2892,10 +2896,10 @@ int UpnpSendActionExAsync(
 
     retVal = ixmlParseBufferEx( tmpStr, &( Param->Act ) );
     if( retVal != IXML_SUCCESS ) {
+        ixmlDocument_free( Param->Header );
         free( Param );
         ixmlFreeDOMString( tmpStr );
         ixmlFreeDOMString( headerStr );
-        ixmlDocument_free( Param->Header );
         if( retVal == IXML_INSUFFICIENT_MEMORY ) {
             return UPNP_E_OUTOF_MEMORY;
         } else {