From 4b8a8bb75229b64d1c7598d845fdc3c7e7d7eee2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 20 Aug 2021 15:23:32 +0100
Subject: [PATCH] Fix the error handling in i2v_AUTHORITY_KEYID

Previously if an error path is entered a leak could result.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
---
 crypto/x509/v3_akid.c                         |  33 ++++++++++++++----
 .../0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c  | Bin 0 -> 457 bytes
 2 files changed, 26 insertions(+), 7 deletions(-)
 create mode 100644 fuzz/corpora/x509/0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c

diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index c8693a4ef5e..5abd35d644c 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -40,29 +40,48 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                                  STACK_OF(CONF_VALUE)
                                                  *extlist)
 {
-    char *tmp;
+    char *tmp = NULL;
+    STACK_OF(CONF_VALUE) *origextlist = extlist, *tmpextlist;
+
     if (akeyid->keyid) {
         tmp = OPENSSL_buf2hexstr(akeyid->keyid->data, akeyid->keyid->length);
         if (tmp == NULL) {
             ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-        X509V3_add_value((akeyid->issuer || akeyid->serial) ? "keyid" : NULL,
-                         tmp, &extlist);
+        if (!X509V3_add_value((akeyid->issuer || akeyid->serial) ? "keyid" : NULL,
+                              tmp, &extlist)) {
+            OPENSSL_free(tmp);
+            ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB);
+            goto err;
+        }
         OPENSSL_free(tmp);
     }
-    if (akeyid->issuer)
-        extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
+    if (akeyid->issuer) {
+        tmpextlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);
+        if (tmpextlist == NULL) {
+            ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB);
+            goto err;
+        }
+        extlist = tmpextlist;
+    }
     if (akeyid->serial) {
         tmp = OPENSSL_buf2hexstr(akeyid->serial->data, akeyid->serial->length);
         if (tmp == NULL) {
             ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
-            return NULL;
+            goto err;
+        }
+        if (!X509V3_add_value("serial", tmp, &extlist)) {
+            OPENSSL_free(tmp);
+            goto err;
         }
-        X509V3_add_value("serial", tmp, &extlist);
         OPENSSL_free(tmp);
     }
     return extlist;
+ err:
+    if (origextlist == NULL)
+        sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);
+    return NULL;
 }
 
 /*-
diff --git a/fuzz/corpora/x509/0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c b/fuzz/corpora/x509/0bf7ea6564ba1096f9760bbd6ed02f25aa0d583c
new file mode 100644
index 0000000000000000000000000000000000000000..afb6c2d9162bbd5785e5d1ec38cab76352451db1
GIT binary patch
literal 457
zc-k{)VmxZl#F)Q;nTe5!iId@6*=nZ~31@r_c-c6$+C196^D;8Bure4Z8wwcku`!3T
za0#>fCKi=s=9C!n0~G;9n1$K$iW7~D3=QPOc?}H>ObslI3`{LeETVv16Cl?d$|cT_
z7-Xv%Ss9qU84Ns_92qvp$L5uags^{d|Kzr>wY0_KPLIdUsEr#XcqMB0uvtsK&rCPk
zo^|@x-@dwy`hNo?9WRMEXefNjPX5>H*<`$BI}<Y_1LNYxR)fYS16iPzvV1IJEF$`k
zcicOlz4~Xz;>P%O-5)HLe4aDYAQ&XA%;IC<)qt+R9Hd~O`Z84%&oDp$GrDJ*kOGtk
zWT-F;s{tD$<A1c^Wp-rnO5HyHx&F-Xzz24bbJznHt6W(X`~A_@BR0S9{ko$t(>Bu2
kcX4dy@0*96U9J@^7CArn$+V)1Yb^8L?w8i&yVM{H09dk;%K!iX

literal 0
Hc-jL100001

-- 
2.47.3