diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_doit.c

--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref	2013-02-11 16:26:04.000000000 +0100

+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c	2015-03-18 18:54:10.064871658 +0100

@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)

 	PKCS7_RECIP_INFO *ri=NULL;

 	ASN1_OCTET_STRING *os=NULL;

+	if (p7 == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);

+		return NULL;

+		}

+	/*

+	 * The content field in the PKCS7 ContentInfo is optional, but that really

+	 * only applies to inner content (precisely, detached signatures).

+	 *

+	 * When reading content, missing outer content is therefore treated as an

+	 * error.

+	 *

+	 * When creating content, PKCS7_content_new() must be called before

+	 * calling this method, so a NULL p7->d is always an error.

+	 */

+	if (p7->d.ptr == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);

+		return NULL;

+		}

+

 	i=OBJ_obj2nid(p7->type);

 	p7->state=PKCS7_S_HEADER;

@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE

        unsigned char *ek = NULL, *tkey = NULL;

        int eklen = 0, tkeylen = 0;

+	if (p7 == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);

+		return NULL;

+		}

+

+	if (p7->d.ptr == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);

+		return NULL;

+		}

+

 	i=OBJ_obj2nid(p7->type);

 	p7->state=PKCS7_S_HEADER;

@@ -440,6 +473,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE

 		{

 	case NID_pkcs7_signed:

 		data_body=PKCS7_get_octet_string(p7->d.sign->contents);

+		if (!PKCS7_is_detached(p7) && data_body == NULL)

+			{

+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,

+				PKCS7_R_NO_CONTENT);

+			goto err;

+			}

 		md_sk=p7->d.sign->md_algs;

 		break;

 	case NID_pkcs7_signedAndEnveloped:

@@ -747,6 +786,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)

 	STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;

 	ASN1_OCTET_STRING *os=NULL;

+	if (p7 == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);

+		return 0;

+		}

+

+	if (p7->d.ptr == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);

+		return 0;

+		}

+

 	EVP_MD_CTX_init(&ctx_tmp);

 	i=OBJ_obj2nid(p7->type);

 	p7->state=PKCS7_S_HEADER;

@@ -791,6 +842,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)

 		/* If detached data then the content is excluded */

 		if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {

 			M_ASN1_OCTET_STRING_free(os);

+			os = NULL;

 			p7->d.sign->contents->d.data = NULL;

 		}

 		break;

@@ -801,6 +853,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)

 		if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)

 			{

 			M_ASN1_OCTET_STRING_free(os);

+			os = NULL;

 			p7->d.digest->contents->d.data = NULL;

 			}

 		break;

@@ -873,23 +926,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)

 		M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);

 		}

-	if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))

+	if (!PKCS7_is_detached(p7))

 		{

-		char *cont;

-		long contlen;

-		btmp=BIO_find_type(bio,BIO_TYPE_MEM);

-		if (btmp == NULL)

-			{

-			PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);

+		/*

+		 * NOTE(emilia): I think we only reach os == NULL here because detached

+		 * digested data support is broken.

+		 */

+		if (os == NULL)

 			goto err;

+		if (!(os->flags & ASN1_STRING_FLAG_NDEF))

+			{

+			char *cont;

+			long contlen;

+			btmp=BIO_find_type(bio,BIO_TYPE_MEM);

+			if (btmp == NULL)

+				{

+				PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);

+				goto err;

+				}

+			contlen = BIO_get_mem_data(btmp, &cont;;

+			/* Mark the BIO read only then we can use its copy of the data

+			 * instead of making an extra copy.

+			 */

+			BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);

+			BIO_set_mem_eof_return(btmp, 0);

+			ASN1_STRING_set0(os, (unsigned char *)cont, contlen);

 			}

-		contlen = BIO_get_mem_data(btmp, &cont;;

-		/* Mark the BIO read only then we can use its copy of the data

-		 * instead of making an extra copy.

-		 */

-		BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);

-		BIO_set_mem_eof_return(btmp, 0);

-		ASN1_STRING_set0(os, (unsigned char *)cont, contlen);

 		}

 	ret=1;

 err:

@@ -928,6 +990,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_

 	if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)

 		goto err;

 	OPENSSL_free(abuf);

+	abuf = NULL;

 	if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)

 		goto err;

 	abuf = OPENSSL_malloc(siglen);

@@ -965,6 +1028,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st

 	STACK_OF(X509) *cert;

 	X509 *x509;

+	if (p7 == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);

+		return 0;

+		}

+

+	if (p7->d.ptr == NULL)

+		{

+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);

+		return 0;

+		}

+

 	if (PKCS7_type_is_signed(p7))

 		{

 		cert=p7->d.sign->cert;

diff -up openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_lib.c

--- openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref	2013-02-11 16:26:04.000000000 +0100

+++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c	2015-03-18 18:05:58.398767116 +0100

@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV

 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)

 	{

+	if (p7 == NULL || p7->d.ptr == NULL)

+		return NULL;

 	if (PKCS7_type_is_signed(p7))

 		{

 		return(p7->d.sign->signer_info);