Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails

ndossche · ndossche · commit c2eadb492297 · 2026-01-23T14:58:39.000+01:00
The X509_NAME_oneline() function can return NULL, which will cause a crash when the string length is computed via add_assoc_string(). Closes GH-21011.
diff --git a/NEWS b/NEWS
@@ -32,6 +32,8 @@ PHP                                                                        NEWS
 
 - OpenSSL:
   . Fix memory leaks when sk_X509_new_null() fails. (ndossche)
+  . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails.
+    (ndossche)
 
 - Phar:
   . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory).
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
@@ -2166,6 +2166,12 @@ PHP_FUNCTION(openssl_x509_parse)
 	}
 
 	str_serial = i2s_ASN1_INTEGER(NULL, asn1_serial);
+	/* Can return NULL on error or memory allocation failure */
+	if (!str_serial) {
+		php_openssl_store_errors();
+		goto err;
+	}
+
 	add_assoc_string(return_value, "serialNumber", str_serial);
 	OPENSSL_free(str_serial);
 
