From 75cab9c28d36ea6480744e2d80c3e1a53c39fbd7 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Sun, 5 Oct 2025 17:01:48 +0100
Subject: [PATCH] [Fix] Fix memory leak in rspamd_shingles_from_html

The struct_sgl object from generate_shingles_from_string_tokens() was only
deleted when pool == nullptr, causing memory leaks when a memory pool was
active. Now struct_sgl is always deleted after copying to res, regardless
of pool allocation method.
---
 src/libutil/shingles_html.cxx | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/libutil/shingles_html.cxx b/src/libutil/shingles_html.cxx
index 8792f3ee84..6a6e6cd806 100644
--- a/src/libutil/shingles_html.cxx
+++ b/src/libutil/shingles_html.cxx
@@ -427,7 +427,7 @@ rspamd_shingles_from_html(void *html_content,
 		return nullptr;
 	}
 
-	/* Allocate result */
+	/* Allocate result after all early exit checks to avoid leaks */
 	struct rspamd_html_shingle *res;
 	if (pool) {
 		res = static_cast<rspamd_html_shingle *>(rspamd_mempool_alloc0(pool, sizeof(*res)));
@@ -451,9 +451,8 @@ rspamd_shingles_from_html(void *html_content,
 
 	if (struct_sgl) {
 		std::memcpy(&res->structure_shingles, struct_sgl, sizeof(struct rspamd_shingle));
-		if (pool == nullptr) {
-			delete struct_sgl;
-		}
+		/* Always delete struct_sgl after copying, regardless of pool */
+		delete struct_sgl;
 	}
 	else {
 		std::memset(&res->structure_shingles, 0, sizeof(struct rspamd_shingle));
-- 
2.47.3