Fix unchecked malloc returns, NULL dereferences, and resource leaks

- store_file.c: check malloc(header_len) before use
- store_memcached.c: check malloc(header_len) before use
- store_rados.c: check malloc(header_len), malloc(sz2); fix ctx-only NULL
  check to also cover store; log error and return on failure
- renderd.c: check malloc for render_threads and slave_threads arrays
- store_ro_http_proxy.c: free chunk.memory on curl error paths to prevent
  memory leak when transfer is partially completed before failure
- store_ro_composite.c: check strstr() results before pointer arithmetic
  (NULL deref if separator missing); check malloc for primary connection
  string; free intermediate strings on all error paths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: stevekennedyuk

src/renderd.c

@@ -888,6 +888,12 @@ int main(int argc, char **argv)
 
 	render_threads = (pthread_t *) malloc(sizeof(pthread_t) * config.num_threads);
 
+	if (render_threads == NULL) {
+		g_logger(G_LOG_LEVEL_CRITICAL, "Failed to allocate memory for render threads");
+		close(fd);
+		return 7;
+	}
+
 	for (i = 0; i < config.num_threads; i++) {
 		if (pthread_create(&render_threads[i], NULL, render_thread, (void *)maps)) {
 			g_logger(G_LOG_LEVEL_CRITICAL, "Could not spawn rendering thread");
@@ -901,6 +907,12 @@ int main(int argc, char **argv)
 		k = 0;
 		slave_threads = (pthread_t *) malloc(sizeof(pthread_t) * num_slave_threads);
 
+		if (slave_threads == NULL) {
+			g_logger(G_LOG_LEVEL_CRITICAL, "Failed to allocate memory for slave threads");
+			close(fd);
+			return 7;
+		}
+
 		for (i = 1; i < MAX_SLAVES; i++) {
 			for (j = 0; j < config_slaves[i].num_threads; j++) {
 				if (pthread_create(&slave_threads[k++], NULL, slave_thread, (void *) &config_slaves[i])) {

src/store_file.c

@@ -74,6 +74,11 @@ static int file_tile_read(struct storage_backend * store, const char *xmlconfig,
 	struct meta_layout *m = (struct meta_layout *)malloc(header_len);
 	size_t file_offset, tile_size;
 
+	if (m == NULL) {
+		snprintf(log_msg, PATH_MAX - 1, "Failed to allocate memory for metatile header\n");
+		return -1;
+	}
+
 	meta_offset = xyzo_to_meta(path, sizeof(path), store->storage_ctx, xmlconfig, options, x, y, z);
 
 	fd = open(path, O_RDONLY);

src/store_memcached.c

@@ -80,6 +80,11 @@ static int memcached_tile_read(struct storage_backend * store, const char *xmlco
 	memcached_return_t rc;
 	char * buf_raw;
 
+	if (m == NULL) {
+		snprintf(log_msg, 1024, "Failed to allocate memory for metatile header\n");
+		return -1;
+	}
+
 	mask = METATILE - 1;
 	meta_offset = (x & mask) * METATILE + (y & mask);
 

src/store_rados.c

@@ -134,6 +134,11 @@ static int rados_tile_read(struct storage_backend * store, const char *xmlconfig
 	int err;
 	char * buf_raw;
 
+	if (m == NULL) {
+		snprintf(log_msg, 1024, "Failed to allocate memory for metatile header\n");
+		return -1;
+	}
+
 	mask = METATILE - 1;
 	meta_offset = (x & mask) * METATILE + (y & mask);
 
@@ -234,6 +239,11 @@ static int rados_metatile_write(struct storage_backend * store, const char *xmlc
 	char * buf2 = malloc(sz2);
 	int err;
 
+	if (buf2 == NULL) {
+		g_logger(G_LOG_LEVEL_ERROR, "rados_metatile_write: failed to allocate memory for write buffer");
+		return -1;
+	}
+
 	tile_stat.expired = 0;
 	tile_stat.size = sz;
 	tile_stat.mtime = time(NULL);
@@ -351,7 +361,7 @@ struct storage_backend * init_storage_rados(const char * connection_string)
 	int err;
 	int i;
 
-	if (ctx == NULL) {
+	if (ctx == NULL || store == NULL) {
 		free(ctx);
 		free(store);
 		return NULL;

src/store_ro_composite.c

@@ -248,7 +248,23 @@ struct storage_backend * init_storage_ro_composite(const char * connection_strin
 	}
 
 	connection_string_secondary = strstr(connection_string, "}{");
+
+	if (connection_string_secondary == NULL) {
+		g_logger(G_LOG_LEVEL_ERROR, "init_storage_ro_composite: malformed connection string, missing '}{' separator: %s", connection_string);
+		free(ctx);
+		free(store);
+		return NULL;
+	}
+
 	connection_string_primary = malloc(strlen(connection_string) - strlen("composite:{") - strlen(connection_string_secondary) + 1);
+
+	if (connection_string_primary == NULL) {
+		g_logger(G_LOG_LEVEL_ERROR, "init_storage_ro_composite: failed to allocate memory for primary connection string");
+		free(ctx);
+		free(store);
+		return NULL;
+	}
+
 	memcpy(connection_string_primary, connection_string + strlen("composite:{"), strlen(connection_string) - strlen("composite:{") - strlen(connection_string_secondary));
 	connection_string_primary[strlen(connection_string) - strlen("composite:{") - strlen(connection_string_secondary)] = 0;
 	connection_string_secondary = strdup(connection_string_secondary + 2);
@@ -258,18 +274,41 @@ struct storage_backend * init_storage_ro_composite(const char * connection_strin
 	g_logger(G_LOG_LEVEL_DEBUG, "init_storage_ro_composite: Secondary storage backend: %s", connection_string_secondary);
 
 	tmp = strstr(connection_string_primary, ",");
+
+	if (tmp == NULL) {
+		g_logger(G_LOG_LEVEL_ERROR, "init_storage_ro_composite: malformed primary connection string, missing ',' separator: %s", connection_string_primary);
+		free(connection_string_primary);
+		free(connection_string_secondary);
+		free(ctx);
+		free(store);
+		return NULL;
+	}
+
 	memcpy(ctx->xmlconfig_primary, connection_string_primary, tmp - connection_string_primary);
 	ctx->xmlconfig_primary[tmp - connection_string_primary] = 0;
 	ctx->store_primary = init_storage_backend(tmp + 1);
 
 	if (ctx->store_primary == NULL) {
 		g_logger(G_LOG_LEVEL_ERROR, "init_storage_ro_composite: failed to initialise primary storage backend");
+		free(connection_string_primary);
+		free(connection_string_secondary);
 		free(ctx);
 		free(store);
 		return NULL;
 	}
 
 	tmp = strstr(connection_string_secondary, ",");
+
+	if (tmp == NULL) {
+		g_logger(G_LOG_LEVEL_ERROR, "init_storage_ro_composite: malformed secondary connection string, missing ',' separator: %s", connection_string_secondary);
+		free(connection_string_primary);
+		free(connection_string_secondary);
+		ctx->store_primary->close_storage(ctx->store_primary);
+		free(ctx);
+		free(store);
+		return NULL;
+	}
+
 	memcpy(ctx->xmlconfig_secondary, connection_string_secondary, tmp - connection_string_secondary);
 	ctx->xmlconfig_secondary[tmp - connection_string_secondary] = 0;
 	ctx->store_secondary = init_storage_backend(tmp + 1);

src/store_ro_http_proxy.c

@@ -116,6 +116,7 @@ static int ro_http_proxy_tile_retrieve(struct storage_backend * store, const cha
 
 		if (res != CURLE_OK) {
 			g_logger(G_LOG_LEVEL_ERROR, "ro_http_proxy_tile_fetch: failed to retrieve file: %s", curl_easy_strerror(res));
+			free(chunk.memory);
 			ctx->cache.x = -1;
 			ctx->cache.y = -1;
 			ctx->cache.z = -1;
@@ -126,6 +127,7 @@ static int ro_http_proxy_tile_retrieve(struct storage_backend * store, const cha
 
 		if (res != CURLE_OK) {
 			g_logger(G_LOG_LEVEL_ERROR, "ro_http_proxy_tile_fetch: failed to retrieve HTTP code: %s", curl_easy_strerror(res));
+			free(chunk.memory);
 			ctx->cache.x = -1;
 			ctx->cache.y = -1;
 			ctx->cache.z = -1;