1 files changed, 24 insertions, 8 deletions
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index 69e230eff9..1407a96e03 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.28 2024/08/22 12:14:33 tb Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.29 2024/12/26 14:10:48 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -653,8 +653,16 @@ pkcs12_main(int argc, char **argv)
                            cfg.certfile, FORMAT_PEM, NULL,
                            "certificates from certfile")) == NULL)
                                goto export_end;
-                        while (sk_X509_num(morecerts) > 0)
+                        while (sk_X509_num(morecerts) > 0) {
-                                sk_X509_push(certs, sk_X509_shift(morecerts));
+                                X509 *cert = sk_X509_shift(morecerts);
+                                if (!sk_X509_push(certs, cert)) {
+                                        X509_free(cert);
+                                        sk_X509_pop_free(morecerts, X509_free);
+                                        goto export_end;
+                                }
+                        }
                        sk_X509_free(morecerts);
                }
@@ -678,11 +686,18 @@ pkcs12_main(int argc, char **argv)
                        if (vret == X509_V_OK) {
                                /* Exclude verified certificate */
-                                for (i = 1; i < sk_X509_num(chain2); i++)
+                                X509_free(sk_X509_shift(chain2));
-                                        sk_X509_push(certs, sk_X509_value(
-                                            chain2, i));
+                                while (sk_X509_num(chain2) > 0) {
-                                /* Free first certificate */
+                                        X509 *cert = sk_X509_shift(chain2);
-                                X509_free(sk_X509_value(chain2, 0));
+                                        if (!sk_X509_push(certs, cert)) {
+                                                X509_free(cert);
+                                                sk_X509_pop_free(chain2,
+                                                    X509_free);
+                                                goto export_end;
+                                        }
+                                }
                                sk_X509_free(chain2);
                        } else {
                                if (vret != X509_V_ERR_UNSPECIFIED)
@@ -692,6 +707,7 @@ pkcs12_main(int argc, char **argv)
                                            vret));
                                else
                                        ERR_print_errors(bio_err);
+                                sk_X509_pop_free(chain2, X509_free);
                                goto export_end;
                        }
                }

diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c index 69e230eff9..1407a96e03 100644 --- a/src/usr.bin/openssl/pkcs12.c +++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: pkcs12.c,v 1.28 2024/08/22 12:14:33 tb Exp $ */	1	/* $OpenBSD: pkcs12.c,v 1.29 2024/12/26 14:10:48 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project.	3	* project.
4	*/	4	*/
@@ -653,8 +653,16 @@ pkcs12_main(int argc, char **argv)
653	cfg.certfile, FORMAT_PEM, NULL,	653	cfg.certfile, FORMAT_PEM, NULL,
654	"certificates from certfile")) == NULL)	654	"certificates from certfile")) == NULL)
655	goto export_end;	655	goto export_end;
656	while (sk_X509_num(morecerts) > 0)	656	while (sk_X509_num(morecerts) > 0) {
657	sk_X509_push(certs, sk_X509_shift(morecerts));	657	X509 *cert = sk_X509_shift(morecerts);
		658
		659	if (!sk_X509_push(certs, cert)) {
		660	X509_free(cert);
		661	sk_X509_pop_free(morecerts, X509_free);
		662	goto export_end;
		663	}
		664	}
		665
658	sk_X509_free(morecerts);	666	sk_X509_free(morecerts);
659	}	667	}
660		668
@@ -678,11 +686,18 @@ pkcs12_main(int argc, char **argv)
678		686
679	if (vret == X509_V_OK) {	687	if (vret == X509_V_OK) {
680	/* Exclude verified certificate */	688	/* Exclude verified certificate */
681	for (i = 1; i < sk_X509_num(chain2); i++)	689	X509_free(sk_X509_shift(chain2));
682	sk_X509_push(certs, sk_X509_value(	690
683	chain2, i));	691	while (sk_X509_num(chain2) > 0) {
684	/* Free first certificate */	692	X509 *cert = sk_X509_shift(chain2);
685	X509_free(sk_X509_value(chain2, 0));	693
		694	if (!sk_X509_push(certs, cert)) {
		695	X509_free(cert);
		696	sk_X509_pop_free(chain2,
		697	X509_free);
		698	goto export_end;
		699	}
		700	}
686	sk_X509_free(chain2);	701	sk_X509_free(chain2);
687	} else {	702	} else {
688	if (vret != X509_V_ERR_UNSPECIFIED)	703	if (vret != X509_V_ERR_UNSPECIFIED)
@@ -692,6 +707,7 @@ pkcs12_main(int argc, char **argv)
692	vret));	707	vret));
693	else	708	else
694	ERR_print_errors(bio_err);	709	ERR_print_errors(bio_err);
		710	sk_X509_pop_free(chain2, X509_free);
695	goto export_end;	711	goto export_end;
696	}	712	}
697	}	713	}