83 lines
1.9 KiB
Diff
83 lines
1.9 KiB
Diff
diff -up openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free openssl-1.0.1e/crypto/asn1/x_x509.c
|
|
--- openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-06-11 11:14:52.581856349 +0200
|
|
@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
|
|
{
|
|
const unsigned char *q;
|
|
X509 *ret;
|
|
+ int freeret = 0;
|
|
+
|
|
/* Save start position */
|
|
q = *pp;
|
|
+
|
|
+ if(!a || *a == NULL) {
|
|
+ freeret = 1;
|
|
+ }
|
|
ret = d2i_X509(a, pp, length);
|
|
/* If certificate unreadable then forget it */
|
|
if(!ret) return NULL;
|
|
@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
|
|
if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
|
|
return ret;
|
|
err:
|
|
- X509_free(ret);
|
|
+ if(freeret) {
|
|
+ X509_free(ret);
|
|
+ if (a)
|
|
+ *a = NULL;
|
|
+ }
|
|
return NULL;
|
|
}
|
|
|
|
diff -up openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1e/crypto/ec/ec_asn1.c
|
|
--- openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/ec/ec_asn1.c 2015-06-11 11:14:52.581856349 +0200
|
|
@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
|
ERR_R_MALLOC_FAILURE);
|
|
goto err;
|
|
}
|
|
- if (a)
|
|
- *a = ret;
|
|
}
|
|
else
|
|
ret = *a;
|
|
@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
|
|
}
|
|
}
|
|
|
|
+ if (a)
|
|
+ *a = ret;
|
|
ok = 1;
|
|
err:
|
|
if (!ok)
|
|
{
|
|
- if (ret)
|
|
+ if (ret && (a == NULL || *a != ret))
|
|
EC_KEY_free(ret);
|
|
ret = NULL;
|
|
}
|
|
@@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
|
|
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
|
|
return NULL;
|
|
}
|
|
- if (a)
|
|
- *a = ret;
|
|
}
|
|
else
|
|
ret = *a;
|
|
@@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
|
|
if (!d2i_ECPKParameters(&ret->group, in, len))
|
|
{
|
|
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
|
|
+ if (a == NULL || *a != ret)
|
|
+ EC_KEY_free(ret);
|
|
return NULL;
|
|
}
|
|
|
|
+ if (a)
|
|
+ *a = ret;
|
|
+
|
|
return ret;
|
|
}
|
|
|