Destroy PQExpBuffers before exiting scope

Make sure to call destroyPQExpBuffer() on buffers before leaking
allocated resources, and document why some buffers must be kept
until the end of the functions to avoid NULL pointer derefs.

Per gripes in Coverity

src/backend/cdb/cdbbackup.c

@@ -311,7 +311,7 @@ gp_backup_launch__(PG_FUNCTION_ARGS)
 		}
 	}
 
-	PQExpBuffer escapeBuf = createPQExpBuffer();
+	PQExpBuffer escapeBuf = NULL;
 
 	pszDBName = NULL;
 	pszUserName = (char *) NULL;
@@ -324,7 +324,16 @@ gp_backup_launch__(PG_FUNCTION_ARGS)
 	if (pszDBName == NULL)
 		pszDBName = "";
 	else
+	{
+		/*
+		 * pszDBName will be pointing to the data portion of the PQExpBuffer
+		 * once escpaped (escapeBuf->data), so we can't safely destroy the
+		 * escapeBuf buffer until the end of the function.
+		 */
+		escapeBuf = createPQExpBuffer();
 		pszDBName = shellEscape(pszDBName, escapeBuf, true);
+	}
+
 	if (pszUserName == NULL)
 		pszUserName = "";
 
@@ -975,6 +984,8 @@ gp_backup_launch__(PG_FUNCTION_ARGS)
 
 	assert(pszSaveBackupfileName != NULL && pszSaveBackupfileName[0] != '\0');
 
+	destroyPQExpBuffer(escapeBuf);
+
 	return DirectFunctionCall1(textin, CStringGetDatum(pszSaveBackupfileName));
 }
 
@@ -1209,6 +1220,11 @@ gp_restore_launch__(PG_FUNCTION_ARGS)
 		pszDBName = "";
 	else
 	{
+		/*
+		 * pszDBName will be pointing to the data portion of the PQExpBuffer
+		 * once escpaped (escapeBuf->data), so we can't safely destroy the
+		 * escapeBuf buffer until the end of the function.
+		 */
 		escapeBuf = createPQExpBuffer();
 		aclNameBuf = createPQExpBuffer();
 		pszDBName = shellEscape(pszDBName, escapeBuf, true);