From 50968d0378ebf05c90e8f1d167592797bbd258ba Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Sep 2025 12:12:02 +0200
Subject: [PATCH] httpsrr: free old pointers when storing new

In case we get "funny" input and the same field is provided several
times, free the old pointer before stored a new memdup.

Reported in Joshua's sarif data

Closes #18631
---
 lib/httpsrr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/httpsrr.c b/lib/httpsrr.c
index 26b8522cc9..8aa7f3b26e 100644
--- a/lib/httpsrr.c
+++ b/lib/httpsrr.c
@@ -98,6 +98,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
   case HTTPS_RR_CODE_IPV4: /* addr4 list */
     if(!vlen || (vlen & 3)) /* the size must be 4-byte aligned */
       return CURLE_BAD_FUNCTION_ARGUMENT;
+    free(hi->ipv4hints);
     hi->ipv4hints = Curl_memdup(val, vlen);
     if(!hi->ipv4hints)
       return CURLE_OUT_OF_MEMORY;
@@ -107,6 +108,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
   case HTTPS_RR_CODE_ECH:
     if(!vlen)
       return CURLE_BAD_FUNCTION_ARGUMENT;
+    free(hi->echconfiglist);
     hi->echconfiglist = Curl_memdup(val, vlen);
     if(!hi->echconfiglist)
       return CURLE_OUT_OF_MEMORY;
@@ -116,6 +118,7 @@ CURLcode Curl_httpsrr_set(struct Curl_easy *data,
   case HTTPS_RR_CODE_IPV6: /* addr6 list */
     if(!vlen || (vlen & 15)) /* the size must be 16-byte aligned */
       return CURLE_BAD_FUNCTION_ARGUMENT;
+    free(hi->ipv6hints);
     hi->ipv6hints = Curl_memdup(val, vlen);
     if(!hi->ipv6hints)
       return CURLE_OUT_OF_MEMORY;
@@ -186,6 +189,7 @@ CURLcode Curl_httpsrr_from_ares(struct Curl_easy *data,
        is in ServiceMode */
     target = ares_dns_rr_get_str(rr, ARES_RR_HTTPS_TARGET);
     if(target && target[0]) {
+      free(hinfo->target);
       hinfo->target = strdup(target);
       if(!hinfo->target) {
         result = CURLE_OUT_OF_MEMORY;