x509: fix a dangling pointer

If object was pointer was passed and an error occured the object was freed & the
pointer returned.  Fix this to NULL out the caller's pointer before returning.

Fixes #15115

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15238)

diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 529d701bbbd4b0f87b530c4f37eb929a939341ec..7959ee223f73dba0a14aaaf8d4f07d659c86de6e 100644 (file)
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -131,8 +131,10 @@ X509 *d2i_X509(X509 **a, const unsigned char **in, long len)
     /* Only cache the extensions if the cert object was passed in */
     if (cert != NULL && a != NULL) { /* then cert == *a */
         if (!ossl_x509v3_cache_extensions(cert)) {
-            if (free_on_error)
+            if (free_on_error) {
+                *a = NULL;
                 X509_free(cert);
+            }
             cert = NULL;
         }
     }