From: Alexandr Nedvedicky <sashan@openssl.org>
Date: Wed, 25 Feb 2026 07:43:29 +0000 (+0100)
Subject: Fix potential use after free in buffer_from_bytes()
X-Git-Tag: openssl-4.0.0-alpha1~90
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89e9bd3fa66a62547c38f97e73eec402e36665ac;p=thirdparty%2Fopenssl.git

Fix potential use after free in buffer_from_bytes()

Fix coverity issue 1681707

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Feb 26 15:05:37 2026
(Merged from https://github.com/openssl/openssl/pull/30169)
---

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 54cef44f591..89d4452a52b 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -36,10 +36,12 @@ static X509_BUFFER *buffer_from_bytes(const uint8_t *bytes, size_t length)
     X509_BUFFER *buf;
 
     if ((buf = OPENSSL_zalloc(sizeof *buf)) != NULL
-        && (buf->data = OPENSSL_memdup(bytes, length)) != NULL)
+        && (buf->data = OPENSSL_memdup(bytes, length)) != NULL) {
         buf->len = length;
-    else
+    } else {
         OPENSSL_free(buf);
+        buf = NULL;
+    }
     return buf;
 }