From 73ccf3ca01085d143aecb7fcfb0aac18caa678d2 Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Wed, 19 Oct 2016 15:38:20 +0100 Subject: [PATCH] Pass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64 Otherwise, |dec| gets moved past the end of the signature by o2i_SCT_signature and then can't be correctly freed afterwards. Reviewed-by: Tim Hudson Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1548) --- crypto/ct/ct_b64.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/ct/ct_b64.c b/crypto/ct/ct_b64.c index 636ac4f5d2..f0bf3aff29 100644 --- a/crypto/ct/ct_b64.c +++ b/crypto/ct/ct_b64.c @@ -64,6 +64,7 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, { SCT *sct = SCT_new(); unsigned char *dec = NULL; + const unsigned char* p = NULL; int declen; if (sct == NULL) { @@ -102,7 +103,9 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); goto err; } - if (o2i_SCT_signature(sct, (const unsigned char **)&dec, declen) <= 0) + + p = dec; + if (o2i_SCT_signature(sct, &p, declen) <= 0) goto err; OPENSSL_free(dec); dec = NULL; -- 2.25.1