From 66ddc0759a435672f1c48b856a0968e7f6e35a82 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 12 May 2021 14:22:52 +1000
Subject: [PATCH] x509: fix a dangling pointer

If object was pointer was passed and an error occured the object was freed & the
pointer returned.  Fix this to NULL out the caller's pointer before returning.

Fixes #15115

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15238)
---
 crypto/x509/x_x509.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 529d701bbb..7959ee223f 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -131,8 +131,10 @@ X509 *d2i_X509(X509 **a, const unsigned char **in, long len)
     /* Only cache the extensions if the cert object was passed in */
     if (cert != NULL && a != NULL) { /* then cert == *a */
         if (!ossl_x509v3_cache_extensions(cert)) {
-            if (free_on_error)
+            if (free_on_error) {
+                *a = NULL;
                 X509_free(cert);
+            }
             cert = NULL;
         }
     }
-- 
2.34.1