Free allocated stack of found exts

samuel40791765 · samuel40791765 · commit 5081638ad29b · 2025-05-05T17:16:51.000Z
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
@@ -598,6 +598,7 @@ static int check_custom_critical_extensions(X509_STORE_CTX *ctx, X509 *x) {
         if (OBJ_cmp(ext->object, known_ext) == 0) {
           found = 1;
           if (!sk_ASN1_OBJECT_push(found_exts, known_ext)) {
+            sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);
             return 0;
           }
           break;
@@ -606,6 +607,7 @@ static int check_custom_critical_extensions(X509_STORE_CTX *ctx, X509 *x) {
 
       if (!found) {
         // If any critical extension isn't in our known list, return early.
+        sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);
         return 0;
       }
     }
@@ -615,13 +617,15 @@ static int check_custom_critical_extensions(X509_STORE_CTX *ctx, X509 *x) {
   // If we get here, all unknown critical extensions in |x| were
   // properly handled and we pass the ones that were found to the caller.
   if (!ctx->verify_custom_crit_oids(ctx, x, found_exts)) {
+    sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);
     return 0;
   }
 
   // Remove the |EXFLAG_CRITICAL| flag from |x|, now that all unknown
   // critical extensions have been handled.
   x->ex_flags &= ~EXFLAG_CRITICAL;
 
+  sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);
   return 1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -598,6 +598,7 @@ static int check_custom_critical_extensions(X509_STORE_CTX ctx, X509 x) {`
`598`	`598`	`if (OBJ_cmp(ext->object, known_ext) == 0) {`
`599`	`599`	`found = 1;`
`600`	`600`	`if (!sk_ASN1_OBJECT_push(found_exts, known_ext)) {`
	`601`	`+ sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);`
`601`	`602`	`return 0;`
`602`	`603`	`}`
`603`	`604`	`break;`
`@@ -606,6 +607,7 @@ static int check_custom_critical_extensions(X509_STORE_CTX ctx, X509 x) {`
`606`	`607`
`607`	`608`	`if (!found) {`
`608`	`609`	`// If any critical extension isn't in our known list, return early.`
	`610`	`+ sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);`
`609`	`611`	`return 0;`
`610`	`612`	`}`
`611`	`613`	`}`
`@@ -615,13 +617,15 @@ static int check_custom_critical_extensions(X509_STORE_CTX ctx, X509 x) {`
`615`	`617`	`// If we get here, all unknown critical extensions in \|x\| were`
`616`	`618`	`// properly handled and we pass the ones that were found to the caller.`
`617`	`619`	`if (!ctx->verify_custom_crit_oids(ctx, x, found_exts)) {`
	`620`	`+ sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);`
`618`	`621`	`return 0;`
`619`	`622`	`}`
`620`	`623`
`621`	`624`	`// Remove the \|EXFLAG_CRITICAL\| flag from \|x\|, now that all unknown`
`622`	`625`	`// critical extensions have been handled.`
`623`	`626`	`x->ex_flags &= ~EXFLAG_CRITICAL;`
`624`	`627`
	`628`	`+ sk_ASN1_OBJECT_pop_free(found_exts, ASN1_OBJECT_free);`
`625`	`629`	`return 1;`
`626`	`630`	`}`
`627`	`631`