@bagder - I believe the check at line 375/376 is relatively new whilst the code at 381 is a little older. Off the top of my head I think this check is designed to not send a response that may break the line length of the protocol that is using this code and may stem from line length limits in SMTP (??). This newer code is a result of when the authentication code was consolidated and moved out of IMAP, POP3 and SMTP. I would have to look at the log to be absolutely sure though.
That aside, I think PVS Studio is partly getting confused when no mechanism is chosen / matched against and "mech" will be NULL. Technically speaking "resp" will be NULL as well so this code cannot be executed.
When I have this type of thing with Visual Studio and uninitialized variables, for example, I tend to keep the compiler happy and initialise those variables so I would be tempted to try and fix the code and check that "mech" is a valid pointer before using it:
a) We can stick a check for "mech" in the if at line 375. However, we would end up with two checks for "mech" - see line 381.
b) We could move the block at line 375 into the "if(mech)" check but would end up with extra nesting.
c) Modify "if(!result)" to become "if(!result && mech) then the extra if(!mech) on line 381 can come out.
The first warning seems to be based on the names according to docs so it is propably warning because the variables are named state1 and state2 but both assign OAUTH2 values (emphasis on the number 2 there). So let's disregard that one.
To me it seems like your suggestion (C) is the smallest fix that is still quite nice.
Although this should never happen due to the relationship between the
'mech' and 'resp' variables, and the way they are allocated together,
it does cause problems for code analysis tools:
V595 The 'mech' pointer was utilized before it was verified against
nullptr. Check lines: 376, 381. curl_sasl.c 376
Reported-by: Alexis La Goutte