Fix some issues found by scan-build ##crash

libr/anal/block.c

@@ -900,11 +900,11 @@ R_API RAnalBlock *r_anal_block_chop_noreturn(RAnalBlock *block, ut64 addr) {
 
 	// Free/unref BEFORE doing the merge!
 	// Some of the blocks might not be valid anymore later!
-	r_anal_block_unref (block);
 	ht_up_free (succs);
 
 	ut64 block_addr = block->addr; // save the addr to identify the block. the automerge might free it so we must not use the pointer!
 
+	r_anal_block_unref (block);
 	// Do the actual merge
 	r_anal_block_automerge (&merge_blocks);
 

libr/anal/flirt.c

@@ -814,6 +814,7 @@ static ut8 read_module_public_functions(RFlirt *f, RFlirtModule *module, ut8 *fl
 	ut8 current_byte;
 
 	module->public_functions = r_list_new ();
+	RFlirtFunction *function = NULL;
 
 	do {
 		if (f->version >= 9) {   // seems like version 9 introduced some larger offsets
@@ -827,7 +828,7 @@ static ut8 read_module_public_functions(RFlirt *f, RFlirtModule *module, ut8 *fl
 				goto beach;
 			}
 		}
-		RFlirtFunction *function = R_NEW0 (RFlirtFunction);
+		function = R_NEW0 (RFlirtFunction);
 		function->offset = offset;
 
 		current_byte = read_byte (f);
@@ -849,7 +850,6 @@ static ut8 read_module_public_functions(RFlirt *f, RFlirtModule *module, ut8 *fl
 #endif
 			current_byte = read_byte (f);
 			if (f->buf_eof || f->buf_err) {
-				free (function);
 				goto beach;
 			}
 		}
@@ -858,7 +858,6 @@ static ut8 read_module_public_functions(RFlirt *f, RFlirtModule *module, ut8 *fl
 			function->name[i] = current_byte;
 			current_byte = read_byte (f);
 			if (f->buf_eof || f->buf_err) {
-				free (function);
 				goto beach;
 			}
 		}
@@ -879,6 +878,7 @@ static ut8 read_module_public_functions(RFlirt *f, RFlirtModule *module, ut8 *fl
 	return true;
 
 beach:
+	free (function);
 	return false;
 }
 

libr/anal/p/anal_a2f.c

@@ -362,6 +362,7 @@ static bool analyzeFunction(RCore *core, ut64 addr) {
 	loc_addr = sdb_num_get (db, "addr", NULL);
 	RAnalFunction *fcn_at_addr = r_anal_get_function_at (core->anal, loc_addr);
 	if (fcn_at_addr) {
+		free (function_label);
 		return false;
 	}
 

libr/anal/var.c

@@ -1810,6 +1810,7 @@ R_API char *r_anal_function_format_sig(R_NONNULL RAnal *anal, R_NONNULL RAnalFun
 			}
 			if (R_STR_ISEMPTY (type)) {
 				R_LOG_WARN ("Missing type for arg %d of function '%s'", i, type_fcn_name);
+				free (type);
 				goto beach;
 			}
 			size_t len = strlen (type);

libr/arch/p/x86/plugin_cs.c

@@ -1,4 +1,4 @@
-/* radare2 - LGPL - Copyright 2013-2024 - pancake */
+/* radare2 - LGPL - Copyright 2013-2025 - pancake */
 
 #include <r_arch.h>
 #include <r_anal.h>

libr/bin/dbginfo.c

@@ -101,7 +101,7 @@ static RBinDbgItem *r_bin_dbgitem_api(RBin *bin, ut64 addr) {
 		if (cp && cp->dbginfo && cp->dbginfo->get_line) {
 			if (cp->dbginfo->get_line (bin->cur, addr, file, len, &line, &column)) {
 				RBinDbgItem *di = R_NEW0 (RBinDbgItem);
-				di->file = file;
+				di->file = strdup (file);
 				di->address = addr;
 				di->line = line;
 				di->column = column;

libr/bin/p/bin_xnu_kernelcache.c

@@ -240,6 +240,7 @@ static bool load(RBinFile *bf, RBuffer *buf, ut64 loadaddr) {
 
 beach:
 	r_buf_free (fbuf);
+	r_rebase_info_free (rebase_info);
 	MACH0_(mach0_free) (main_mach0);
 	return false;
 }

libr/cons/grep.c

@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2024 - pancake, nibble */
+/* radare - LGPL - Copyright 2009-2025 - pancake, nibble */
 
 #include <r_cons.h>
 #include <r_util/r_print.h>
@@ -220,7 +220,7 @@ R_API void r_cons_grep_expression(const char *str) {
 				} else {
 					grep->sort_invert = false;
 				}
-				while (isdigit (*ptr)) {
+				while (*ptr && isdigit (*ptr)) {
 					ptr++;
 				}
 				if (*ptr == ':') {
@@ -797,7 +797,7 @@ R_API void r_cons_grepbuf(void) {
 		cons->context->buffer_len = 0;
 		cons->context->buffer_sz = 0;
 		r_cons_print (s);
-		buf = cons->context->buffer;
+		in = buf = cons->context->buffer;
 		len = cons->context->buffer_len;
 		r_json_free (node);
 		free (a);

libr/core/cmd_help.inc.c

@@ -1448,11 +1448,15 @@ static int cmd_help(void *data, const char *input) {
 				  }
 				  r_str_trim (str);
 				  RList *list = r_str_split_list (str, " ", 0);
-				  int *nums = calloc (sizeof (ut64), r_list_length (list));
+				  int *nums = calloc (sizeof (int), r_list_length (list));
 				  char **text = calloc (sizeof (char *), r_list_length (list));
 				  int i = 0;
 				  r_list_foreach (list, iter, word) {
-					nums[i] = r_num_math (core->num, word);
+					st64 n = r_num_math (core->num, word);
+					if (n >= ST32_MAX || n < 0) {
+						R_LOG_WARN ("Number out of range");
+					}
+					nums[i] = n;
 					i++;
 				  }
 				  int j = 0;

libr/core/project.c

@@ -328,7 +328,6 @@ static bool r_core_project_load(RCore *core, const char *prj_name, const char *r
 		//check if the project uses git
 		Rvc *vc = rvc_open (prj_path, RVC_TYPE_GIT);
 		core->prj->rvc = vc;
-		free (prj_path);
 	} else {
 		R_LOG_ERROR ("Failed to load rvc");
 	}
@@ -338,6 +337,7 @@ static bool r_core_project_load(RCore *core, const char *prj_name, const char *r
 		r_line_hist_load (file);
 		free (file);
 	}
+	free (prj_path);
 	r_config_set_b (core->config, "cfg.fortunes", cfg_fortunes);
 	r_config_set_b (core->config, "scr.interactive", scr_interactive);
 	r_config_set_b (core->config, "scr.prompt", scr_prompt);

libr/core/visual.c

@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2024 - pancake */
+/* radare - LGPL - Copyright 2009-2025 - pancake */
 
 #include <r_core.h>
 #include <r_vec.h>
@@ -1975,6 +1975,7 @@ static void visual_comma(RCore *core) {
 			if (R_STR_ISEMPTY (comment)) {
 				comment = r_str_newf (",(%s)", fn);
 				r_meta_set_string (core->anal, R_META_TYPE_COMMENT, addr, comment);
+				R_FREE (comment);
 			} else {
 				// append filename in current comment
 				char *nc = r_str_newf ("%s ,(%s)", comment, fn);

libr/flag/flag.c

@@ -557,7 +557,7 @@ R_API RFlagItem *r_flag_get_by_spaces(RFlag *f, bool prionospace, ut64 off, ...)
 
 	// get RSpaces from the names
 	i = 0;
-	spaces = R_NEWS (RSpace *, n_spaces);
+	spaces = R_NEWS (RSpace *, n_spaces + 1);
 	spacename = va_arg (ap, const char *);
 	while (spacename) {
 		RSpace *space = r_flag_space_get (f, spacename);

libr/main/rabin2.c

@@ -853,6 +853,7 @@ R_API int r_main_rabin2(int argc, const char **argv) {
 			break;
 		case 'h':
 			r_core_fini (&core);
+			free (create);
 			free (state.stdin_buf);
 			return rabin_show_help (1);
 		default:

libr/reg/profile.c

@@ -167,7 +167,7 @@ R_API bool r_reg_set_profile_string(RReg *reg, const char *str) {
 		return true;
 	}
 	// eprintf ("OLD (%s) NEW (%s)\n", reg->reg_profile_str, str);
-// remove all arenas
+	// remove all arenas
 	// we should reset all the arenas before setting the new reg profile
 	r_reg_arena_pop (reg);
 	// Purge the old registers
@@ -235,12 +235,17 @@ R_API bool r_reg_set_profile_string(RReg *reg, const char *str) {
 			// Save the token
 			tok[j++] = strdup (tmp);
 		}
+		tok[j] = NULL;
 		if (j) {
 			// Do the actual parsing
 			char *first = tok[0];
 			// Check whether it's defining an alias or a register
 			if (r_str_startswith (first, "=RS")) {
-				reg->bits_default = atoi (tok[1]);
+				if (tok[1]) {
+					reg->bits_default = atoi (tok[1]);
+				} else {
+					R_LOG_ERROR ("Missing argument for =RS");
+				}
 			} else {
 				const char *r = NULL;
 				if (*first == '^') {

libr/search/uds.c

@@ -62,8 +62,8 @@ R_API RList *r_search_find_uds(RSearch *search, ut64 addr, const ut8 *data, size
 	unsigned int i, j, k, max_score, stride;
 	unsigned int candb_position = 0;
 
-	unsigned int *score = (unsigned int *)calloc (size, sizeof (int));
-	unsigned int *stride_score = (unsigned int *)calloc (size, sizeof (int));
+	unsigned int *score = (unsigned int *)calloc (size, sizeof (unsigned int));
+	unsigned int *stride_score = (unsigned int *)calloc (size, sizeof (unsigned int));
 
 	unsigned char UDS_local[UDS_SIZE];
 	for (i = 1; i < size - (CANDB_SIZE * 2); i++) {

libr/util/graph.c

@@ -426,12 +426,12 @@ R_API RGraph *r_graph_dom_tree(RGraph *graph, RGraphNode *root) {
 				min_n = in;
 			}
 		}
-		while (((RGraphDomNode *)max_n->data)->idx > dn->idx) {
+		while (max_n && ((RGraphDomNode *)max_n->data)->idx > dn->idx) {
 			max_n = (RGraphNode *)r_list_get_n (max_n->in_nodes, 0);
 		}
 // at this point max_n refers to the semi dominator (i hope this is correct)
 		RGraphNode *dom = min_n;
-		while (((RGraphDomNode *)max_n->data)->idx < ((RGraphDomNode *)dom->data)->idx) {
+		while (max_n && ((RGraphDomNode *)max_n->data)->idx < ((RGraphDomNode *)dom->data)->idx) {
 			dom = (RGraphNode *)r_list_get_n (dom->in_nodes, 0);
 		}
 // dom <= sdom

libr/util/hex.c

@@ -249,15 +249,16 @@ R_API char *r_hex_from_c(const char *code) {
 
 
 R_API char *r_hex_from_js(const char *code) {
-	char * s1 = strchr (code, '\'');
-	char * s2 = strchr (code, '"');
+	char *s1 = strchr (code, '\'');
+	char *s2 = strchr (code, '"');
 
 	/* there are no strings in the input */
-	if (!(s1 || s2)) {
+	if (!s1 || !s2) {
 		return NULL;
 	}
 
-	char * start, * end;
+	char *start;
+	char *end;
 	if (s1 < s2) {
 		start = s1;
 		end = strchr (start + 1, '\'');

libr/util/list.c

@@ -516,8 +516,12 @@ static RListIter *_merge(RListIter *first, RListIter *second, RListComparator cm
 			result = result->n;
 		}
 	}
-	head->p = NULL;
-	next->n = NULL;
+	if (head) {
+		head->p = NULL;
+	}
+	if (next) {
+		next->n = NULL;
+	}
 	return head;
 }
 

libr/util/rvc_rvc.c

@@ -1016,22 +1016,22 @@ static Sdb *vcdb_open(const char *rp) {
 static Rvc *open_rvc(const char *rp) {
 	if (rvc_repo_exists(rp)) {
 		Rvc *repo = R_NEW (Rvc);
-		if (repo) {
-			repo->p = &r_vc_plugin_rvc;
-			repo->db = vcdb_open (rp);
-			if (repo->db) {
-				repo->path = strdup(rp);
-				if (repo->path) {
-					return repo;
-				}
+		repo->p = &r_vc_plugin_rvc;
+		repo->db = vcdb_open (rp);
+		if (repo->db) {
+			repo->path = strdup(rp);
+			if (repo->path) {
+				return repo;
 			}
 		}
+		rvc_free (repo);
 	} else {
 		Rvc *repo = rvc_rvc_new (rp);
 		if (repo) {
 			repo->p = &r_vc_plugin_rvc;
 			return repo;
 		}
+		rvc_free (repo);
 	}
 	R_LOG_ERROR ("Can't open rvc repo in: %s", rp);
 	return NULL;

libr/util/udiff.c

@@ -91,7 +91,7 @@ static st32 lev_parse_matrix(Levrow *matrix, ut32 len, bool invert, RLevOp **chg
 	const size_t overflow = (size_t)-1 / (2 * sizeof (RLevOp));
 	int j = row->end;
 	size_t size = j;
-	RLevOp *changes = R_NEWS (RLevOp, size);
+	RLevOp *changes = R_NEWS (RLevOp, size + 1);
 	if (!changes) {
 		return -1;
 	}
@@ -104,15 +104,12 @@ static st32 lev_parse_matrix(Levrow *matrix, ut32 len, bool invert, RLevOp **chg
 
 		if (insert >= size) {
 			if (size >= overflow) {
-				// overflow paranoia
-				free (changes);
-				return -1;
+				goto leave;
 			}
 			size *= 2;
-			RLevOp *tmp = realloc (changes, size * sizeof (RLevOp));
+			RLevOp *tmp = realloc (changes, (1 + size) * sizeof (RLevOp));
 			if (!tmp) {
-				free (changes);
-				return -1;
+				goto leave;
 			}
 			changes = tmp;
 		}
@@ -131,21 +128,17 @@ static st32 lev_parse_matrix(Levrow *matrix, ut32 len, bool invert, RLevOp **chg
 			j--;
 			continue; // continue with same rows
 		}
-		free (row->changes);
-		row->changes = NULL;
+		R_FREE (row->changes);
 		row = prev_row--;
 	}
 	if (size - insert < j) {
 		if (size > overflow) {
-			// overly paranoid
-			free (changes);
-			return -1;
+			goto leave;
 		}
 		size += j - (size - insert);
-		RLevOp *tmp = realloc (changes, size * sizeof (RLevOp));
+		RLevOp *tmp = realloc (changes, (1 + size) * sizeof (RLevOp));
 		if (!tmp) {
-			free (changes);
-			return -1;
+			goto leave;
 		}
 		changes = tmp;
 	}
@@ -156,6 +149,9 @@ static st32 lev_parse_matrix(Levrow *matrix, ut32 len, bool invert, RLevOp **chg
 
 	*chgs = changes;
 	return insert;
+leave:
+	free (changes);
+	return -1;
 }
 
 static inline void lev_fill_changes(RLevOp *chgs, RLevOp op, ut32 count) {