Fix potential use after free in buffer_from_bytes()

Fix coverity issue 1681707

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 26 15:05:37 2026
(Merged from https://github.com/openssl/openssl/pull/30169)

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 54cef44f591a7fa4df4fd7017c4418be5b61d817..89d4452a52b5a0c707f9d6d8c006d93575ac0612 100644 (file)
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -36,10 +36,12 @@ static X509_BUFFER *buffer_from_bytes(const uint8_t *bytes, size_t length)
     X509_BUFFER *buf;
 
     if ((buf = OPENSSL_zalloc(sizeof *buf)) != NULL
-        && (buf->data = OPENSSL_memdup(bytes, length)) != NULL)
+        && (buf->data = OPENSSL_memdup(bytes, length)) != NULL) {
         buf->len = length;
-    else
+    } else {
         OPENSSL_free(buf);
+        buf = NULL;
+    }
     return buf;
 }