https://github.com/vrtadmin/clamav-devel/commit/f5bc94cf01e6a19d5255c0e5f9a5bc2336f5a2b1
backported (re-merge). See also:

 - https://bugzilla.clamav.net/show_bug.cgi?id=11549
 - https://github.com/e2guardian/e2guardian/issues/159

--- clamav-0.99.2/libclamav/scanners.c			2016-04-22 17:02:19.000000000 +0200
+++ clamav-0.99.2/libclamav/scanners.c.temp-cleanup	2017-11-17 00:59:14.295670694 +0100
@@ -1342,37 +1342,33 @@
 		return CL_CLEAN;
 	}
 
-	/* dump to disk only if explicitly asked to
-	 * or if necessary to check relative offsets,
-	 * otherwise we can process just in-memory */
-	if(ctx->engine->keeptmp || (troot && troot->ac_reloff_num > 0)) {
-		if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &ofd))) {
-			cli_dbgmsg("cli_scanscript: Can't generate temporary file/descriptor\n");
-			return ret;
-		}
-		if (ctx->engine->keeptmp)
-			cli_dbgmsg("cli_scanscript: saving normalized file to %s\n", tmpname);
-	}
-
 	if(!(normalized = cli_malloc(SCANBUFF + maxpatlen))) {
 		cli_dbgmsg("cli_scanscript: Unable to malloc %u bytes\n", SCANBUFF);
-		free(tmpname);
 		return CL_EMEM;
 	}
-
 	text_normalize_init(&state, normalized, SCANBUFF + maxpatlen);
-	ret = CL_CLEAN;
-
 
 	if ((ret = cli_ac_initdata(&tmdata, troot?troot->ac_partsigs:0, troot?troot->ac_lsigs:0, troot?troot->ac_reloff_num:0, CLI_DEFAULT_AC_TRACKLEN))) {
-		free(tmpname);
-		return ret;
+            free(normalized);
+            return ret;
 	}
 
 	if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) {
-		cli_ac_freedata(&tmdata);
-		free(tmpname);
-		return ret;
+            cli_ac_freedata(&tmdata);
+            free(normalized);
+            return ret;
+	}
+
+	/* dump to disk only if explicitly asked to
+	 * or if necessary to check relative offsets,
+	 * otherwise we can process just in-memory */
+	if(ctx->engine->keeptmp || (troot && troot->ac_reloff_num > 0)) {
+            if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &ofd))) {
+                cli_dbgmsg("cli_scanscript: Can't generate temporary file/descriptor\n");
+                goto done;
+            }
+            if (ctx->engine->keeptmp)
+                cli_dbgmsg("cli_scanscript: saving normalized file to %s\n", tmpname);
 	}
 
 	mdata[0] = &tmdata;
@@ -1387,10 +1383,9 @@
 			map_off += written;
 
 			if  (write(ofd, state.out, state.out_pos) == -1) {
-				cli_errmsg("cli_scanscript: can't write to file %s\n",tmpname);
-				close(ofd);
-				free(tmpname);
-				return CL_EWRITE;
+                            cli_errmsg("cli_scanscript: can't write to file %s\n",tmpname);
+                            ret = CL_EWRITE;
+                            goto done;
 			}
 			text_normalize_reset(&state);
 		}
@@ -1409,11 +1404,6 @@
 			funmap(*ctx->fmap);
 		}
 		*ctx->fmap = map;
-
-		/* If we aren't keeping temps, delete the normalized file after scan. */
-		if(!(ctx->engine->keeptmp))
-			if (cli_unlink(tmpname)) ret = CL_EUNLINK;
-
 	} else {
 		/* Since the above is moderately costly all in all,
 		 * do the old stuff if there's no relative offsets. */
@@ -1421,11 +1411,8 @@
 		if (troot) {
 			cli_targetinfo(&info, 7, map);
 			ret = cli_ac_caloff(troot, &tmdata, &info);
-			if (ret) {
-				cli_ac_freedata(&tmdata);
-				free(tmpname);
-				return ret;
-			}
+			if (ret)
+                            goto done;
 		}
 
 		while(1) {
@@ -1466,13 +1453,6 @@
 
 	}
 
-	if(ctx->engine->keeptmp) {
-		free(tmpname);
-		if (ofd >= 0)
-			close(ofd);
-	}
-	free(normalized);
-
 	if(ret != CL_VIRUS || SCAN_ALL)  {
 		if ((ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS)
 			viruses_found++;
@@ -1481,9 +1461,19 @@
 				viruses_found++;
 	}
 
+done:
+	free(normalized);
 	cli_ac_freedata(&tmdata);
 	cli_ac_freedata(&gmdata);
 
+	if (ofd != -1)
+		close(ofd);
+	if (tmpname != NULL) {
+		if (!ctx->engine->keeptmp)
+			cli_unlink(tmpname);
+		free(tmpname);
+	}
+
 	if (SCAN_ALL && viruses_found)
 		return CL_VIRUS;