Update from stable branch.
diff --git a/CHANGES b/CHANGES
index 1b034ce..6d2006e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -751,6 +751,11 @@
Changes between 0.9.8j and 0.9.8k [xx XXX xxxx]
+ *) Don't set val to NULL when freeing up structures, it is freed up by
+ underlying code. If sizeof(void *) > sizeof(long) this can result in
+ zeroing past the valid field. (CVE-2009-0789)
+ [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
+
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 359e9c3..3bee439 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -613,7 +613,6 @@
err:
ASN1_template_free(val, tt);
- *val = NULL;
return 0;
}
@@ -762,7 +761,6 @@
err:
ASN1_template_free(val, tt);
- *val = NULL;
return 0;
}
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 12fc844..4a799eb 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -419,7 +419,7 @@
for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++)
{
si = sk_CMS_SignerInfo_value(sinfos, i);
- if (!CMS_SignerInfo_verify_content(si, cmsbio))
+ if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0)
{
CMSerr(CMS_F_CMS_VERIFY,
CMS_R_CONTENT_VERIFY_ERROR);
