x509: address NULL dereference and memory leaks

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from #15910)
openssl · Jun 26, 2021 · 1502519 · 1502519
1 parent d4af922
commit 1502519
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
@@ -84,14 +84,16 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub)
 
 static void x509_pubkey_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-    X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
+    X509_PUBKEY *pubkey;
 
-    X509_ALGOR_free(pubkey->algor);
-    ASN1_BIT_STRING_free(pubkey->public_key);
-    EVP_PKEY_free(pubkey->pkey);
-    OPENSSL_free(pubkey->propq);
-    OPENSSL_free(pubkey);
-    *pval = NULL;
+    if (pval != NULL && (pubkey = (X509_PUBKEY *)*pval) != NULL) {
+        X509_ALGOR_free(pubkey->algor);
+        ASN1_BIT_STRING_free(pubkey->public_key);
+        EVP_PKEY_free(pubkey->pkey);
+        OPENSSL_free(pubkey->propq);
+        OPENSSL_free(pubkey);
+        *pval = NULL;
+    }
 }
 
 static int x509_pubkey_ex_populate(ASN1_VALUE **pval, const ASN1_ITEM *it)

diff --git a/crypto/x509/x_x509a.c b/crypto/x509/x_x509a.c
@@ -125,17 +125,22 @@ int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj)
 {
     X509_CERT_AUX *aux;
     ASN1_OBJECT *objtmp;
+    int res = 0;
+
     if ((objtmp = OBJ_dup(obj)) == NULL)
         return 0;
     if ((aux = aux_get(x)) == NULL)
         goto err;
     if (aux->reject == NULL
         && (aux->reject = sk_ASN1_OBJECT_new_null()) == NULL)
         goto err;
-    return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+    if (sk_ASN1_OBJECT_push(aux->reject, objtmp) > 0)
+        res = 1;
+
  err:
-    ASN1_OBJECT_free(objtmp);
-    return 0;
+    if (!res)
+        ASN1_OBJECT_free(objtmp);
+    return res;
 }
 
 void X509_trust_clear(X509 *x)