From c40ede0917953bfe57ee31c5d160eb82d3810e7d Mon Sep 17 00:00:00 2001
From: miod <miod@openbsd.org>
Date: Wed, 23 Jul 2014 04:44:56 +0000
Subject: [PATCH] Check the return value of the UI functions (including
 UI_new() which return value is happily dereferenced without checking it for
 being non-NULL).

ok beck@
---
 lib/libcrypto/evp/evp_key.c         | 17 +++++++++++------
 lib/libssl/src/crypto/evp/evp_key.c | 17 +++++++++++------
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/lib/libcrypto/evp/evp_key.c b/lib/libcrypto/evp/evp_key.c
index dffca300c6b..2873a888bd2 100644
--- a/lib/libcrypto/evp/evp_key.c
+++ b/lib/libcrypto/evp/evp_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_key.c,v 1.18 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: evp_key.c,v 1.19 2014/07/23 04:44:56 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -103,11 +103,16 @@ EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
 	if ((prompt == NULL) && (prompt_string[0] != '\0'))
 		prompt = prompt_string;
 	ui = UI_new();
-	UI_add_input_string(ui, prompt, 0, buf, min,
-	    (len >= BUFSIZ) ? BUFSIZ - 1 : len);
-	if (verify)
-		UI_add_verify_string(ui, prompt, 0, buff, min,
-		    (len >= BUFSIZ) ? BUFSIZ - 1 : len, buf);
+	if (ui == NULL)
+		return -1;
+	if (UI_add_input_string(ui, prompt, 0, buf, min,
+	    (len >= BUFSIZ) ? BUFSIZ - 1 : len) != 0)
+		return -1;
+	if (verify) {
+		if (UI_add_verify_string(ui, prompt, 0, buff, min,
+		    (len >= BUFSIZ) ? BUFSIZ - 1 : len, buf) != 0)
+			return -1;
+	}
 	ret = UI_process(ui);
 	UI_free(ui);
 	OPENSSL_cleanse(buff, BUFSIZ);
diff --git a/lib/libssl/src/crypto/evp/evp_key.c b/lib/libssl/src/crypto/evp/evp_key.c
index dffca300c6b..2873a888bd2 100644
--- a/lib/libssl/src/crypto/evp/evp_key.c
+++ b/lib/libssl/src/crypto/evp/evp_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_key.c,v 1.18 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: evp_key.c,v 1.19 2014/07/23 04:44:56 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -103,11 +103,16 @@ EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt,
 	if ((prompt == NULL) && (prompt_string[0] != '\0'))
 		prompt = prompt_string;
 	ui = UI_new();
-	UI_add_input_string(ui, prompt, 0, buf, min,
-	    (len >= BUFSIZ) ? BUFSIZ - 1 : len);
-	if (verify)
-		UI_add_verify_string(ui, prompt, 0, buff, min,
-		    (len >= BUFSIZ) ? BUFSIZ - 1 : len, buf);
+	if (ui == NULL)
+		return -1;
+	if (UI_add_input_string(ui, prompt, 0, buf, min,
+	    (len >= BUFSIZ) ? BUFSIZ - 1 : len) != 0)
+		return -1;
+	if (verify) {
+		if (UI_add_verify_string(ui, prompt, 0, buff, min,
+		    (len >= BUFSIZ) ? BUFSIZ - 1 : len, buf) != 0)
+			return -1;
+	}
 	ret = UI_process(ui);
 	UI_free(ui);
 	OPENSSL_cleanse(buff, BUFSIZ);
-- 
2.20.1