pkcs7: Fix negative index handling in PKCS7_get_issuer_and_serial()

Reject negative indices before looking up the recipient info stack
entry.  This makes negative out-of-range indices match the existing
behavior for too-large positive indices and avoids dereferencing
a NULL recipient info.

Add a regression test for the negative index case.

Resolves: https://github.com/openssl/openssl/issues/30910

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Wed Jun 24 09:10:22 2026
(Merged from https://github.com/openssl/openssl/pull/30914)

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 7b6a3b36b4ba501d609b7f7815d6c5c0af753848..1878b4aac24757bace5a89df05410bf07bc38306 100644 (file)
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1171,7 +1171,7 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
     rsk = p7->d.signed_and_enveloped->recipientinfo;
     if (rsk == NULL)
         return NULL;
-    if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
+    if (idx < 0 || sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
         return NULL;
     ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
     return ri->issuer_and_serial;

diff --git a/test/pkcs7_test.c b/test/pkcs7_test.c
index adf069695e0a3dae1279aabffbd3342219f8bc19..3fe68f60aab54e915b758d8cd82ae2a288fb136a 100644 (file)
--- a/test/pkcs7_test.c
+++ b/test/pkcs7_test.c
@@ -15,6 +15,30 @@
 #include "internal/nelem.h"
 #include "testutil.h"
 
+static int pkcs7_issuer_and_serial_negative_idx_test(void)
+{
+    PKCS7 *p7 = NULL;
+    PKCS7_RECIP_INFO *ri = NULL;
+    int ret = 0;
+
+    if (!TEST_ptr(p7 = PKCS7_new())
+        || !TEST_true(PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped))
+        || !TEST_ptr(ri = PKCS7_RECIP_INFO_new())
+        || !TEST_true(PKCS7_add_recipient_info(p7, ri)))
+        goto end;
+    ri = NULL;
+
+    if (!TEST_ptr(PKCS7_get_issuer_and_serial(p7, 0))
+        || !TEST_ptr_null(PKCS7_get_issuer_and_serial(p7, -1)))
+        goto end;
+
+    ret = 1;
+end:
+    PKCS7_RECIP_INFO_free(ri);
+    PKCS7_free(p7);
+    return ret;
+}
+
 #ifndef OPENSSL_NO_EC
 static const unsigned char cert_der[] = {
     0x30, 0x82, 0x01, 0x51, 0x30, 0x81, 0xf7, 0xa0, 0x03, 0x02, 0x01, 0x02,
@@ -389,6 +413,7 @@ end:
 
 int setup_tests(void)
 {
+    ADD_TEST(pkcs7_issuer_and_serial_negative_idx_test);
 #ifndef OPENSSL_NO_EC
     ADD_TEST(pkcs7_verify_test);
     ADD_TEST(pkcs7_inner_content_verify_test);