pkcs7: fix NULL contents dereference in PKCS7_stream

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 17:01:56 2026
(Merged from https://github.com/openssl/openssl/pull/30351)

(cherry picked from commit 4b8968753c7509da4c51ea3343e3c089433bad5b)

diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 372144b00caea65b9a53a8cc330b440054ea17f1..26cf3ff0c50ea63841bf69c54ee8d08d5a9becfe 100644 (file)
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -743,6 +743,10 @@ int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
         break;
 
     case NID_pkcs7_signed:
+        if (p7->d.sign == NULL || p7->d.sign->contents == NULL) {
+            ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_CONTENT);
+            break;
+        }
         os = p7->d.sign->contents->d.data;
         break;