From 652e28838c1af8adf442dee8a805a65c1e58353a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 2 Apr 2024 17:29:25 +0200
Subject: [PATCH] checkpolicy: free complete role_allow_rule on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Free the ebitmaps inside the rolesets on error.

Reported-by: oss-fuzz (issue 67769)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 checkpolicy/policy_define.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 4fc6c417b..1c019a3b8 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3186,6 +3186,7 @@ int define_role_allow(void)
 
 	while ((id = queue_remove(id_queue))) {
 		if (set_roles(&ra->roles, id)) {
+			role_allow_rule_destroy(ra);
 			free(ra);
 			return -1;
 		}
@@ -3193,6 +3194,7 @@ int define_role_allow(void)
 
 	while ((id = queue_remove(id_queue))) {
 		if (set_roles(&ra->new_roles, id)) {
+			role_allow_rule_destroy(ra);
 			free(ra);
 			return -1;
 		}