From 77d6810d902f5315610cb18d89d178372a85fba3 Mon Sep 17 00:00:00 2001
From: Niels Dossche <niels.dossche@ugent.be>
Date: Tue, 21 Jan 2025 12:04:44 +0100
Subject: [PATCH] Fix potential memory leak in policy_section()

If sk_POLICYQUALINFO_push() fails, qual is not freed.
Fix it by adding POLICYQUALINFO_free() to the error path.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26499)

(cherry picked from commit ececabd9adb4b4def9c044491f993b94ba0c618f)
---
 crypto/x509/v3_cpols.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/x509/v3_cpols.c b/crypto/x509/v3_cpols.c
index ae602ea2cd2..603bb1ce598 100644
--- a/crypto/x509/v3_cpols.c
+++ b/crypto/x509/v3_cpols.c
@@ -195,6 +195,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                 goto err;
             }
             if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {
+                POLICYQUALINFO_free(qual);
                 ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
                 goto err;
             }
@@ -232,6 +233,7 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
             if (pol->qualifiers == NULL)
                 pol->qualifiers = sk_POLICYQUALINFO_new_null();
             if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {
+                POLICYQUALINFO_free(qual);
                 ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
                 goto err;
             }
-- 
2.47.2