From 7e9498b5c7f9f90522a8755fd15bc06c6605ef1e Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <dev@ddvo.net>
Date: Thu, 28 Aug 2025 18:33:06 +0200
Subject: [PATCH] X509_VERIFY_PARAM_get0(): add check to defend on out-of-bound
 table access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28370)

(cherry picked from commit ceb45f64bde3d299c7ef529e5cd5372e4a421366)
---
 crypto/x509/v3_purp.c  | 2 +-
 crypto/x509/x509_vpm.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
index 4688aaeea41..1db22047cf0 100644
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@@ -186,7 +186,7 @@ int X509_PURPOSE_add(int id, int trust, int flags,
         return 0;
     }
     if (trust < X509_TRUST_DEFAULT || name == NULL || sname == NULL || ck == NULL) {
-        ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
+        ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
         return 0;
     }
 
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 6f1cfd9320e..efe08ff6831 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -635,6 +635,11 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id)
 {
     int num = OSSL_NELEM(default_table);
 
+    if (id < 0) {
+        ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
+        return NULL;
+    }
+
     if (id < num)
         return default_table + id;
     return sk_X509_VERIFY_PARAM_value(param_table, id - num);
-- 
2.47.3