From 27eb6bc04fb78763e85062ff59f306d666290253 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Wed, 15 Jul 2015 17:41:56 +0000
Subject: Fix two theoretical NULL pointer dereferences which can only happen
 if you have seriously corrupted your memory; Coverity CID 21708 and 21721.

While there, plug a memory leak upon error in x509_name_canon().

ok bcook@ beck@
---
 src/lib/libcrypto/asn1/x_name.c         | 13 +++++++++----
 src/lib/libssl/src/crypto/asn1/x_name.c | 13 +++++++++----
 2 files changed, 18 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index 51c5a0ae41..569c6fe346 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.29 2015/02/14 15:29:29 miod Exp $ */
+/* $OpenBSD: x_name.c,v 1.30 2015/07/15 17:41:56 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -377,7 +377,8 @@ x509_name_encode(X509_NAME *a)
 				goto memerr;
 			set = entry->set;
 		}
-		if (!sk_X509_NAME_ENTRY_push(entries, entry))
+		if (entries == NULL /* if entry->set is bogusly -1 */ ||
+		    !sk_X509_NAME_ENTRY_push(entries, entry))
 			goto memerr;
 	}
 	len = ASN1_item_ex_i2d(&intname.a, NULL,
@@ -449,8 +450,11 @@ x509_name_canon(X509_NAME *a)
 			entries = sk_X509_NAME_ENTRY_new_null();
 			if (!entries)
 				goto err;
-			if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries))
+			if (sk_STACK_OF_X509_NAME_ENTRY_push(intname,
+			    entries) == 0) {
+				sk_X509_NAME_ENTRY_free(entries);
 				goto err;
+			}
 			set = entry->set;
 		}
 		tmpentry = X509_NAME_ENTRY_new();
@@ -461,7 +465,8 @@ x509_name_canon(X509_NAME *a)
 			goto err;
 		if (!asn1_string_canon(tmpentry->value, entry->value))
 			goto err;
-		if (!sk_X509_NAME_ENTRY_push(entries, tmpentry))
+		if (entries == NULL /* if entry->set is bogusly -1 */ ||
+		    !sk_X509_NAME_ENTRY_push(entries, tmpentry))
 			goto err;
 		tmpentry = NULL;
 	}
diff --git a/src/lib/libssl/src/crypto/asn1/x_name.c b/src/lib/libssl/src/crypto/asn1/x_name.c
index 51c5a0ae41..569c6fe346 100644
--- a/src/lib/libssl/src/crypto/asn1/x_name.c
+++ b/src/lib/libssl/src/crypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.29 2015/02/14 15:29:29 miod Exp $ */
+/* $OpenBSD: x_name.c,v 1.30 2015/07/15 17:41:56 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -377,7 +377,8 @@ x509_name_encode(X509_NAME *a)
 				goto memerr;
 			set = entry->set;
 		}
-		if (!sk_X509_NAME_ENTRY_push(entries, entry))
+		if (entries == NULL /* if entry->set is bogusly -1 */ ||
+		    !sk_X509_NAME_ENTRY_push(entries, entry))
 			goto memerr;
 	}
 	len = ASN1_item_ex_i2d(&intname.a, NULL,
@@ -449,8 +450,11 @@ x509_name_canon(X509_NAME *a)
 			entries = sk_X509_NAME_ENTRY_new_null();
 			if (!entries)
 				goto err;
-			if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries))
+			if (sk_STACK_OF_X509_NAME_ENTRY_push(intname,
+			    entries) == 0) {
+				sk_X509_NAME_ENTRY_free(entries);
 				goto err;
+			}
 			set = entry->set;
 		}
 		tmpentry = X509_NAME_ENTRY_new();
@@ -461,7 +465,8 @@ x509_name_canon(X509_NAME *a)
 			goto err;
 		if (!asn1_string_canon(tmpentry->value, entry->value))
 			goto err;
-		if (!sk_X509_NAME_ENTRY_push(entries, tmpentry))
+		if (entries == NULL /* if entry->set is bogusly -1 */ ||
+		    !sk_X509_NAME_ENTRY_push(entries, tmpentry))
 			goto err;
 		tmpentry = NULL;
 	}
-- 
cgit v1.2.3-55-g6feb