From 85f6ff70f87dd81b08a5fb98304f9691cb09a136 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 29 May 2024 16:14:38 +0000
Subject: Fix i2d_ASN1_OBJECT()

When called with a pointer to NULL as an output buffer, one would expect
an i2d API to allocate the buffer and return it. The implementation here
is special and the allocation dance was forgotten, resulting in a SIGSEGV.
Add said dance.

ok jsing
---
 src/lib/libcrypto/asn1/a_object.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index aae1b8bbd7..ed9e9287c4 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.53 2024/05/29 16:10:41 tb Exp $ */
+/* $OpenBSD: a_object.c,v 1.54 2024/05/29 16:14:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -615,7 +615,7 @@ c2i_ASN1_OBJECT(ASN1_OBJECT **out_aobj, const unsigned char **pp, long len)
 int
 i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
 {
-	unsigned char *p;
+	unsigned char *buf, *p;
 	int objsize;
 
 	if (a == NULL || a->data == NULL)
@@ -626,11 +626,20 @@ i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
 	if (pp == NULL)
 		return objsize;
 
-	p = *pp;
+	if ((buf = *pp) == NULL)
+		buf = calloc(1, objsize);
+	if (buf == NULL)
+		return -1;
+
+	p = buf;
 	ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
 	memcpy(p, a->data, a->length);
 	p += a->length;
 
+	/* If buf was allocated, return it, otherwise return the advanced p. */
+	if (*pp == NULL)
+		p = buf;
+
 	*pp = p;
 
 	return objsize;
-- 
cgit v1.2.3-55-g6feb