From: Pauli <pauli@openssl.org>
Date: Fri, 25 Jun 2021 02:54:43 +0000 (+1000)
Subject: x509: address NULL dereference and memory leaks
X-Git-Tag: openssl-3.0.0-beta2~188
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=150251904c2b4c2cffd7429af90cd0486e3682d7;p=thirdparty%2Fopenssl.git

x509: address NULL dereference and memory leaks

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15910)
---

diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index e669ae35745..b20b756e9a5 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -84,14 +84,16 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub)
 
 static void x509_pubkey_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-    X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
+    X509_PUBKEY *pubkey;
 
-    X509_ALGOR_free(pubkey->algor);
-    ASN1_BIT_STRING_free(pubkey->public_key);
-    EVP_PKEY_free(pubkey->pkey);
-    OPENSSL_free(pubkey->propq);
-    OPENSSL_free(pubkey);
-    *pval = NULL;
+    if (pval != NULL && (pubkey = (X509_PUBKEY *)*pval) != NULL) {
+        X509_ALGOR_free(pubkey->algor);
+        ASN1_BIT_STRING_free(pubkey->public_key);
+        EVP_PKEY_free(pubkey->pkey);
+        OPENSSL_free(pubkey->propq);
+        OPENSSL_free(pubkey);
+        *pval = NULL;
+    }
 }
 
 static int x509_pubkey_ex_populate(ASN1_VALUE **pval, const ASN1_ITEM *it)
diff --git a/crypto/x509/x_x509a.c b/crypto/x509/x_x509a.c
index ef93db26d87..c88a58aa9f0 100644
--- a/crypto/x509/x_x509a.c
+++ b/crypto/x509/x_x509a.c
@@ -125,6 +125,8 @@ int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj)
 {
     X509_CERT_AUX *aux;
     ASN1_OBJECT *objtmp;
+    int res = 0;
+
     if ((objtmp = OBJ_dup(obj)) == NULL)
         return 0;
     if ((aux = aux_get(x)) == NULL)
@@ -132,10 +134,13 @@ int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj)
     if (aux->reject == NULL
         && (aux->reject = sk_ASN1_OBJECT_new_null()) == NULL)
         goto err;
-    return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+    if (sk_ASN1_OBJECT_push(aux->reject, objtmp) > 0)
+        res = 1;
+
  err:
-    ASN1_OBJECT_free(objtmp);
-    return 0;
+    if (!res)
+        ASN1_OBJECT_free(objtmp);
+    return res;
 }
 
 void X509_trust_clear(X509 *x)