From c6967e8b8ba150ca40cb6d847f974b7e1cb6467e Mon Sep 17 00:00:00 2001
From: Maximilian Heise <7600641+maxheise@users.noreply.github.com>
Date: Fri, 12 Jun 2026 21:18:54 +0200
Subject: [PATCH] epub: free the ncx toc attribute string in get_toc_file_name

get_toc_file_name() in backend/epub/epub-document.c reads the spine's
"toc" attribute into a local xmlChar *ncx:

    xmlChar *ncx = xml_get_data_from_node(spine, XML_ATTRIBUTE,
                                          (xmlChar*)"toc");

xml_get_data_from_node() in XML_ATTRIBUTE mode calls xmlGetProp(), which
returns a freshly allocated copy of the attribute value that the caller
owns and must release with xmlFree(). The value is used once, as the id
to match in

    xml_parse_children_of_node(manifest, (xmlChar*)"item",
                               (xmlChar*)"id", ncx);

and is then never freed: the success path returns tocfilename without
releasing ncx, so the copy is leaked. (On the ncx == NULL path no ncx
string was allocated.) get_toc_file_name() is called once per load from
setup_document_index() for documents that carry an NCX toc, so the leak
happens on ordinary loads of such documents.

Free ncx with xmlFree() immediately after its last use. xmlFree() is the
deallocator that matches xmlGetProp().
---
 backend/epub/epub-document.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/backend/epub/epub-document.c b/backend/epub/epub-document.c
index 57d626c4..06924faa 100644
--- a/backend/epub/epub-document.c
+++ b/backend/epub/epub-document.c
@@ -1174,6 +1174,7 @@ get_toc_file_name(gchar *containeruri)
 
 	xmlretval = NULL;
 	xml_parse_children_of_node(manifest,(xmlChar*)"item",(xmlChar*)"id",ncx);
+	xmlFree(ncx);
 
 	gchar* tocfilename = (gchar*)xml_get_data_from_node(xmlretval,XML_ATTRIBUTE,(xmlChar*)"href");
 	xml_free_doc();