libsepol: clean memory on conditional read failure

Free the local access vector list on failure as it does not get moved
into the policy structure.

    Direct leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
        SELinuxProject#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
        SELinuxProject#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
        SELinuxProject#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
        SELinuxProject#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
        SELinuxProject#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
        SELinuxProject#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
        SELinuxProject#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
        SELinuxProject#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
        SELinuxProject#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
        SELinuxProject#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
        SELinuxProject#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
        SELinuxProject#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16

Signed-off-by: Christian Göttsche <[email protected]>

libsepol/src/conditional.c

@@ -724,8 +724,10 @@ static int cond_read_av_list(policydb_t * p, void *fp,
 	for (i = 0; i < len; i++) {
 		rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab,
 				     cond_insertf, &data);
-		if (rc)
+		if (rc) {
+			cond_av_list_destroy(data.head);
 			return rc;
+		}
 
 	}