diff -up openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free openssl-1.0.1e/crypto/asn1/x_x509.c
--- openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-06-11 11:14:52.581856349 +0200
@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
{
const unsigned char *q;
X509 *ret;
+ int freeret = 0;
+
/* Save start position */
q = *pp;
+
+ if(!a || *a == NULL) {
+ freeret = 1;
+ }
ret = d2i_X509(a, pp, length);
/* If certificate unreadable then forget it */
if(!ret) return NULL;
@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
return ret;
err:
- X509_free(ret);
+ if(freeret) {
+ X509_free(ret);
+ if (a)
+ *a = NULL;
+ }
return NULL;
}
diff -up openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1e/crypto/ec/ec_asn1.c
--- openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/crypto/ec/ec_asn1.c 2015-06-11 11:14:52.581856349 +0200
@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (a)
- *a = ret;
}
else
ret = *a;
@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
}
}
+ if (a)
+ *a = ret;
ok = 1;
err:
if (!ok)
{
- if (ret)
+ if (ret && (a == NULL || *a != ret))
EC_KEY_free(ret);
ret = NULL;
}
@@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
return NULL;
}
- if (a)
- *a = ret;
}
else
ret = *a;
@@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
if (!d2i_ECPKParameters(&ret->group, in, len))
{
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+ if (a == NULL || *a != ret)
+ EC_KEY_free(ret);
return NULL;
}
+ if (a)
+ *a = ret;
+
return ret;
}