These were found by valgrind and verified by hand. I do not think they are serious. I'm sorry for not including line numbers, but I doubt they would be the same as in your actual source files anyway.
1. string returned from find_home_dir() not freed in process_sqliterc(). The find_home_dir() function returns a string allocated by malloc() which the caller must free. But process_sqliterc() does not. This function stores the string in a local variable called home_dir then uses it to calculate another string with a full path. Excerpt: home_dir = find_home_dir(); if( home_dir==0 ){ fprintf(stderr, "-- warning: cannot find home directory;" " cannot read ~/.sqliterc\n"); return; } sqlite3_initialize(); zBuf = sqlite3_mprintf("%s/.sqliterc",home_dir); sqliterc = zBuf; It appears a good place to call free() would be at the end of this code block, as home_dir is not used afterwards. 2. ShellState.zKey not freed In the SEE shell, the shell accepts an encryption key using the -key and -hexkey command-line arguments. Strings are allocated by sqlite3_mprintf() and stored in the zKey field of the ShellState struct as shown in the excerpt below. }else if( strcmp(argv[i],"-key")==0 ){ data.zKey = sqlite3_mprintf("%s",cmdline_option_value(argc,argv,++i)); data.nKey = strlen(data.zKey); }else if( strcmp(argv[i],"-hexkey")==0 ){ data.zKey = sqlite3_mprintf("%s",cmdline_option_value(argc,argv,++i)); data.nKey = shellHexToBin(data.zKey); if( data.nKey<0 ){ fprintf(stderr, "%s: invalid key string\n", argv[0]); exit(1); } The contract for sqlite3_mprintf is that the caller must free the result using sqlite3_free(). But this never happens. A reasonable place to perform the free would be at the end of main() where other cleanup is also performed. JKL