Fix crahses and leaks in pkcs12 utility -chain option

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index aeba62ea08c9a0c8a4b03f7aa48a4eb568f1f9ba..f53b44721eb9d7c3dae4c839f8df237bec17e59c 100644 (file)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -480,9 +480,10 @@ int MAIN(int argc, char **argv)
                    /* Exclude verified certificate */
                    for (i = 1; i < sk_X509_num (chain2) ; i++) 
                        sk_X509_push(certs, sk_X509_value (chain2, i));
-               }
-               sk_X509_free(chain2);
-               if (vret) {
+                   /* Free first certificate */
+                   X509_free(sk_X509_value(chain2, 0));
+                   sk_X509_free(chain2);
+               } else {
                        BIO_printf (bio_err, "Error %s getting chain.\n",
                                        X509_verify_cert_error_string(vret));
                        goto export_end;
@@ -509,8 +510,6 @@ int MAIN(int argc, char **argv)
        }
        sk_X509_pop_free(certs, X509_free);
        certs = NULL;
-       /* ucert is part of certs so it is already freed */
-       ucert = NULL;
 
 #ifdef CRYPTO_MDEBUG
        CRYPTO_pop_info();
@@ -598,7 +597,6 @@ int MAIN(int argc, char **argv)
        if (certs) sk_X509_pop_free(certs, X509_free);
        if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
        if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-       if (ucert) X509_free(ucert);
 
 #ifdef CRYPTO_MDEBUG
        CRYPTO_pop_info();