From c2eadb4922979d0c9074a0f139bbb3a89b32898b Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Thu, 22 Jan 2026 22:16:02 +0100 Subject: [PATCH 1/2] Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails The X509_NAME_oneline() function can return NULL, which will cause a crash when the string length is computed via add_assoc_string(). Closes GH-21011. --- NEWS | 2 ++ ext/openssl/openssl.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/NEWS b/NEWS index 89d5bc0f884..ecc0aaee316 100644 --- a/NEWS +++ b/NEWS @@ -32,6 +32,8 @@ PHP NEWS - OpenSSL: . Fix memory leaks when sk_X509_new_null() fails. (ndossche) + . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. + (ndossche) - Phar: . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 2a502f20688..415974f2fa7 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2166,6 +2166,12 @@ PHP_FUNCTION(openssl_x509_parse) } str_serial = i2s_ASN1_INTEGER(NULL, asn1_serial); + /* Can return NULL on error or memory allocation failure */ + if (!str_serial) { + php_openssl_store_errors(); + goto err; + } + add_assoc_string(return_value, "serialNumber", str_serial); OPENSSL_free(str_serial); From 62afc7a2fa93f2d8e8dc2c98fa25bfc56c7e0508 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+ndossche@users.noreply.github.com> Date: Thu, 22 Jan 2026 22:09:40 +0100 Subject: [PATCH 2/2] Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails The X509_NAME_oneline() function can return NULL, which will cause a crash when the string length is computed via add_assoc_string(). Closes GH-21010. --- NEWS | 2 ++ ext/openssl/openssl.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/NEWS b/NEWS index ecc0aaee316..e229b4aaec3 100644 --- a/NEWS +++ b/NEWS @@ -34,6 +34,8 @@ PHP NEWS . Fix memory leaks when sk_X509_new_null() fails. (ndossche) . Fix crash when in openssl_x509_parse() when i2s_ASN1_INTEGER() fails. (ndossche) + . Fix crash in openssl_x509_parse() when X509_NAME_oneline() fails. + (ndossche) - Phar: . Fixed bug GH-20882 (buildFromIterator breaks with missing base directory). diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 415974f2fa7..12383ac8c2c 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -2134,6 +2134,11 @@ PHP_FUNCTION(openssl_x509_parse) subject_name = X509_get_subject_name(cert); cert_name = X509_NAME_oneline(subject_name, NULL, 0); + if (cert_name == NULL) { + php_openssl_store_errors(); + goto err; + } + add_assoc_string(return_value, "name", cert_name); OPENSSL_free(cert_name);