Pass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64

Otherwise, |dec| gets moved past the end of the signature by o2i_SCT_signature and then can't be correctly freed afterwards. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1548)
author: Rob Percival <robpercival@google.com> 2016-10-19 15:38:20 +0100
committer: Rob Percival <robpercival@google.com> 2016-11-16 13:43:36 +0000
commit: 73ccf3ca01085d143aecb7fcfb0aac18caa678d2 (patch)
tree: 899c7d6a6b31a46607b6a74a2003b832ae0f1374 /crypto/ct
parent: 70a06fc1a8b098e9934f837896159bfc6caf0228 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/crypto/ct/ct_b64.c b/crypto/ct/ct_b64.c
index 636ac4f5d2..f0bf3aff29 100644
--- a/crypto/ct/ct_b64.c
+++ b/crypto/ct/ct_b64.c
@@ -64,6 +64,7 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
 {
     SCT *sct = SCT_new();
     unsigned char *dec = NULL;
+    const unsigned char* p = NULL;
     int declen;
 
     if (sct == NULL) {
@@ -102,7 +103,9 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
         CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
         goto err;
     }
-    if (o2i_SCT_signature(sct, (const unsigned char **)&dec, declen) <= 0)
+
+    p = dec;
+    if (o2i_SCT_signature(sct, &p, declen) <= 0)
         goto err;
     OPENSSL_free(dec);
     dec = NULL;
author	Rob Percival <robpercival@google.com>	2016-10-19 15:38:20 +0100
committer	Rob Percival <robpercival@google.com>	2016-11-16 13:43:36 +0000
commit	73ccf3ca01085d143aecb7fcfb0aac18caa678d2 (patch)
tree	899c7d6a6b31a46607b6a74a2003b832ae0f1374 /crypto/ct
parent	70a06fc1a8b098e9934f837896159bfc6caf0228 (diff)