From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 21 Jan 2026 18:10:28 +0000 (+0100)
Subject: rsa_sig.c: Properly duplicate the sig member
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5c45d8407980ec0963bebc647ed2fb85b94996f;p=thirdparty%2Fopenssl.git

rsa_sig.c: Properly duplicate the sig member

Otherwise UAF and doublefree appears when the duplicate
is freed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Fri Jan 23 10:37:34 2026
(Merged from https://github.com/openssl/openssl/pull/29707)
---

diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index c11b9daaed1..96e631ae6c2 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -1347,6 +1347,7 @@ static void *rsa_dupctx(void *vprsactx)
     dstctx->mdctx = NULL;
     dstctx->tbuf = NULL;
     dstctx->propq = NULL;
+    dstctx->sig = NULL;
 
     if (srcctx->rsa != NULL && !RSA_up_ref(srcctx->rsa))
         goto err;
@@ -1373,6 +1374,12 @@ static void *rsa_dupctx(void *vprsactx)
             goto err;
     }
 
+    if (srcctx->sig != NULL) {
+        dstctx->sig = OPENSSL_memdup(srcctx->sig, srcctx->siglen);
+        if (dstctx->sig == NULL)
+            goto err;
+    }
+
     return dstctx;
 err:
     rsa_freectx(dstctx);