From b75dbf3c118aeee4b1a71f882eb30ba7cefba486 Mon Sep 17 00:00:00 2001
From: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Tue, 14 Feb 2017 16:38:02 +0100
Subject: [PATCH] Fix some realloc error handling issues.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2625)
---
 apps/engine.c |  9 ++++++---
 ssl/ssl_rsa.c |  6 ++++--
 ssl/t1_ext.c  | 14 ++++++--------
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/apps/engine.c b/apps/engine.c
index f54631b50d..a8eed9af5c 100644
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -108,13 +108,16 @@ static int append_buf(char **buf, const char *s, int *size, int step)
     }
 
     if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
+        char *p = *buf;
+
         *size += step;
         *buf = OPENSSL_realloc(*buf, *size);
+        if (*buf == NULL) {
+            OPENSSL_free(p);
+            return 0;
+        }
     }
 
-    if (*buf == NULL)
-        return 0;
-
     if (**buf != '\0')
         BUF_strlcat(*buf, ", ", *size);
     BUF_strlcat(*buf, s, *size);
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index f679801a29..af03d45c2e 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -964,6 +964,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
     int ret = 0;
     BIO *bin = NULL;
     size_t num_extensions = 0;
+    unsigned char *new_serverinfo;
 
     if (ctx == NULL || file == NULL) {
         SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE,
@@ -1014,12 +1015,13 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
             goto end;
         }
         /* Append the decoded extension to the serverinfo buffer */
-        serverinfo =
+        new_serverinfo =
             OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
-        if (serverinfo == NULL) {
+        if (new_serverinfo == NULL) {
             SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE);
             goto end;
         }
+        serverinfo = new_serverinfo;
         memcpy(serverinfo + serverinfo_length, extension, extension_length);
         serverinfo_length += extension_length;
 
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index 79ed946a51..89099142e1 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -223,16 +223,14 @@ static int custom_ext_meth_add(custom_ext_methods *exts,
     /* Search for duplicate */
     if (custom_ext_find(exts, ext_type))
         return 0;
-    exts->meths = OPENSSL_realloc(exts->meths,
-                                  (exts->meths_count +
-                                   1) * sizeof(custom_ext_method));
-
-    if (!exts->meths) {
-        exts->meths_count = 0;
+    meth = OPENSSL_realloc(exts->meths,
+                           (exts->meths_count + 1)
+                           * sizeof(custom_ext_method));
+    if (meth == NULL)
         return 0;
-    }
 
-    meth = exts->meths + exts->meths_count;
+    exts->meths = meth;
+    meth += exts->meths_count;
     memset(meth, 0, sizeof(custom_ext_method));
     meth->parse_cb = parse_cb;
     meth->add_cb = add_cb;
-- 
2.25.1