From 9fb10cfe6b9f0408d9de613c5ed7bf5c2530f5e5 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Fri, 27 Jun 2014 03:21:10 +0100
Subject: Memory leak and NULL dereference fixes.

PR#3403
(cherry picked from commit d2aea038297e0c64ca66e6844cbb37377365885e)

Conflicts:

	apps/crl2p7.c
	crypto/asn1/a_utctm.c
	crypto/asn1/ameth_lib.c
	crypto/asn1/bio_asn1.c
---
 apps/apps.c            |  4 ++++
 apps/ca.c              |  3 +++
 apps/crl2p7.c          |  8 +++++++-
 crypto/asn1/asn_mime.c |  2 ++
 crypto/asn1/asn_pack.c | 12 ++++++++++--
 crypto/asn1/evp_asn1.c |  6 +++++-
 crypto/asn1/t_x509.c   |  2 ++
 crypto/asn1/tasn_enc.c |  7 ++++++-
 8 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index ce8d9c9a7d..792b2540f3 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -362,6 +362,8 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		{
 		arg->count=20;
 		arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count);
+		if (arg->data == NULL)
+			return 0;
 		}
 	for (i=0; i<arg->count; i++)
 		arg->data[i]=NULL;
@@ -1429,6 +1431,8 @@ char *make_config_name()
 
 	len=strlen(t)+strlen(OPENSSL_CONF)+2;
 	p=OPENSSL_malloc(len);
+	if (p == NULL)
+		return NULL;
 	BUF_strlcpy(p,t,len);
 #ifndef OPENSSL_SYS_VMS
 	BUF_strlcat(p,"/",len);
diff --git a/apps/ca.c b/apps/ca.c
index 651c5a648a..d6984ba8fd 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2751,6 +2751,9 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 
 	revtm = X509_gmtime_adj(NULL, 0);
 
+	if (!revtm)
+		return NULL;
+
 	i = revtm->length + 1;
 
 	if (reason) i += strlen(reason) + 1;
diff --git a/apps/crl2p7.c b/apps/crl2p7.c
index b2f2d121d5..f164a3ad94 100644
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -142,7 +142,13 @@ int MAIN(int argc, char **argv)
 			{
 			if (--argc < 1) goto bad;
 			if(!certflst) certflst = sk_new_null();
-			sk_push(certflst,*(++argv));
+			if (!certflst)
+				goto end;
+			if (!sk_push(certflst,*(++argv)))
+				{
+				sk_free(certflst);
+				goto end;
+				}
 			}
 		else
 			{
diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c
index ad8fbed907..095887f27d 100644
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -595,6 +595,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
 	int len, state, save_state = 0;
 
 	headers = sk_MIME_HEADER_new(mime_hdr_cmp);
+	if (!headers)
+		return NULL;
 	while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
 	/* If whitespace at line start then continuation line */
 	if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c
index f1a5a05632..c373714b68 100644
--- a/crypto/asn1/asn_pack.c
+++ b/crypto/asn1/asn_pack.c
@@ -134,15 +134,23 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct)
 		
 	if (!(octmp->length = i2d(obj, NULL))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
-		return NULL;
+		goto err;
 	}
 	if (!(p = OPENSSL_malloc (octmp->length))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	octmp->data = p;
 	i2d (obj, &p);
 	return octmp;
+	err:
+	if (!oct || !*oct)
+		{
+		ASN1_STRING_free(octmp);
+		if (oct)
+			*oct = NULL;
+		}
+	return NULL;
 }
 
 #endif
diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
index f3d9804860..1b9445973e 100644
--- a/crypto/asn1/evp_asn1.c
+++ b/crypto/asn1/evp_asn1.c
@@ -66,7 +66,11 @@ int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len)
 	ASN1_STRING *os;
 
 	if ((os=M_ASN1_OCTET_STRING_new()) == NULL) return(0);
-	if (!M_ASN1_OCTET_STRING_set(os,data,len)) return(0);
+	if (!M_ASN1_OCTET_STRING_set(os,data,len))
+		{
+		M_ASN1_OCTET_STRING_free(os);
+		return 0;
+		}
 	ASN1_TYPE_set(a,V_ASN1_OCTET_STRING,os);
 	return(1);
 	}
diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c
index 6f295b4e14..f9dad0e6fa 100644
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -465,6 +465,8 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
 	l=80-2-obase;
 
 	b=X509_NAME_oneline(name,NULL,0);
+	if (!b)
+		return 0;
 	if (!*b)
 		{
 		OPENSSL_free(b);
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 2721f904a6..b3687f9f1c 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -453,9 +453,14 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
 			{
 			derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk)
 						* sizeof(*derlst));
+			if (!derlst)
+				return 0;
 			tmpdat = OPENSSL_malloc(skcontlen);
-			if (!derlst || !tmpdat)
+			if (!tmpdat)
+				{
+				OPENSSL_free(derlst);
 				return 0;
+				}
 			}
 		}
 	/* If not sorting just output each item */
-- 
cgit v1.2.3