From ec82bac431abf0081b4b2443274fceac3d8c6405 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 10 Jan 2022 10:51:31 +0000 Subject: [PATCH] Prevent a double free in EVP_MD_CTX_copy_ex() NULL out two pointer values after memcpy() to avoid a double free. In the event that both in->pctx and in->md_data are non-NULL and the calloc() of out->md_data fails, a double free could occur. ok inoguchi jsing --- lib/libcrypto/evp/digest.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/libcrypto/evp/digest.c b/lib/libcrypto/evp/digest.c index fd423180449..ecb52925324 100644 --- a/lib/libcrypto/evp/digest.c +++ b/lib/libcrypto/evp/digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest.c,v 1.33 2022/01/09 15:15:25 tb Exp $ */ +/* $OpenBSD: digest.c,v 1.34 2022/01/10 10:51:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -281,6 +281,8 @@ EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) tmp_buf = NULL; EVP_MD_CTX_cleanup(out); memcpy(out, in, sizeof *out); + out->md_data = NULL; + out->pctx = NULL; /* * Because of the EVP_PKEY_CTX_dup() below, EVP_MD_CTX_cleanup() needs -- 2.20.1