fix: memory leaks, resource leaks, out of bounds and bugs

ASTERISK-26119 #close

Change-Id: Iecbf7d0f360a021147344c4e83ab242fd1e7512c

main/ast_expr2.c

@@ -3669,13 +3669,20 @@ op_tildetilde (struct val *a, struct val *b)
 	/* strip double quotes from both -- */
 	strip_quotes(a);
 	strip_quotes(b);
-	
+
 	vs = malloc(strlen(a->u.s)+strlen(b->u.s)+1);
+	if (vs == NULL) {
+		ast_log(LOG_WARNING, "malloc() failed\n");
+		return NULL;
+	}
+
 	strcpy(vs,a->u.s);
 	strcat(vs,b->u.s);
 
 	v = make_str(vs);
 
+	free(vs);
+
 	/* free arguments */
 	free_value(a);
 	free_value(b);

main/ast_expr2.y

@@ -1662,13 +1662,20 @@ op_tildetilde (struct val *a, struct val *b)
 	/* strip double quotes from both -- */
 	strip_quotes(a);
 	strip_quotes(b);
-	
+
 	vs = malloc(strlen(a->u.s)+strlen(b->u.s)+1);
+	if (vs == NULL) {
+		ast_log(LOG_WARNING, "malloc() failed\n");
+		return NULL;
+	}
+
 	strcpy(vs,a->u.s);
 	strcat(vs,b->u.s);
 
 	v = make_str(vs);
 
+	free(vs);
+
 	/* free arguments */
 	free_value(a);
 	free_value(b);

main/say.c

@@ -8521,9 +8521,9 @@ int ast_say_date_with_format_ja(struct ast_channel *chan, time_t time, const cha
                      /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                      case '\'':
                              /* Literal name of a sound file */
-                             sndoffset=0;
-                             for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < 256) ; sndoffset++)
+                             for (sndoffset = 0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                      sndfile[sndoffset] = format[offset];
+                             }
                              sndfile[sndoffset] = '\0';
                              res = wait_file(chan,ints,sndfile,lang);
                              break;