Fix double free in certificate policies configuration

In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.

ok jsing kenjiro

1 files changed, 7 insertions, 12 deletions

diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index e075f462ad..25a40b0739 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.19 2025/11/03 16:36:15 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.20 2025/11/28 06:03:40 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -676,23 +676,18 @@ nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 
         for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
                 cnf = sk_CONF_VALUE_value(nos, i);
-                if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+                if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
                         X509V3error(X509V3_R_INVALID_NUMBER);
-                        goto err;
+                        return 0;
                 }
-                if (!sk_ASN1_INTEGER_push(nnums, aint)) {
+                if (sk_ASN1_INTEGER_push(nnums, aint) <= 0) {
+                        X509V3error(ERR_R_MALLOC_FAILURE);
                         ASN1_INTEGER_free(aint);
-                        goto merr;
+                        return 0;
                 }
         }
-        return 1;
-
- merr:
-        X509V3error(ERR_R_MALLOC_FAILURE);
 
- err:
-        sk_ASN1_INTEGER_pop_free(nnums, ASN1_INTEGER_free);
-        return 0;
+        return 1;
 }
 
 static int