CHtpasswdSecurityManager::loadPwds contains a try/catch block. Multiple string exceptions can be thrown from within the try, directly in the method and presumably indirectly from methods called. These exceptions are immediately caught and a new, generic string exception is thrown in their place.
The original exception is leaked. The exception is not captured by the catch and is not released.