From 73bce59b2aaca7d3ae9dd6087472dbfdca23c83f Mon Sep 17 00:00:00 2001
From: tb <>
Date: Mon, 3 Nov 2025 16:36:15 +0000
Subject: In nref_nos() don't leak the ASN1_INTEGER if the push fails

(A much bigger problem here is a double free for which I will send
out a diff shortly)

From Niels Dossche
---
 src/lib/libcrypto/x509/x509_cpols.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 2c36cbd0f8..e075f462ad 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.18 2025/11/03 16:22:13 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.19 2025/11/03 16:36:15 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -680,8 +680,10 @@ nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 			X509V3error(X509V3_R_INVALID_NUMBER);
 			goto err;
 		}
-		if (!sk_ASN1_INTEGER_push(nnums, aint))
+		if (!sk_ASN1_INTEGER_push(nnums, aint)) {
+			ASN1_INTEGER_free(aint);
 			goto merr;
+		}
 	}
 	return 1;
 
-- 
cgit v1.2.3-55-g6feb