commit 515c728dbaa92211d2eafb0041ab9fcd258fdc41

Author: Bernd Edlinger <bernd.edlinger@hotmail.de>

Date:   Mon Sep 9 19:12:25 2019 +0200

    Fix potential memory leaks with BN_to_ASN1_INTEGER

    Reviewed-by: Paul Dale <paul.dale@oracle.com>

    Reviewed-by: Matt Caswell <matt@openssl.org>

    (Merged from https://github.com/openssl/openssl/pull/9833)

    (cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c

index 1ce1181fc1..7cbf8de981 100644

--- a/crypto/ec/ec_asn1.c

+++ b/crypto/ec/ec_asn1.c

@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,

     unsigned char *buffer = NULL;

     const EC_POINT *point = NULL;

     point_conversion_form_t form;

+    ASN1_INTEGER *orig;

     if (params == NULL) {

         if ((ret = ECPARAMETERS_new()) == NULL) {

@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,

         ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);

         goto err;

     }

-    ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);

+    ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);

     if (ret->order == NULL) {

+        ret->order = orig;

         ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);

         goto err;

     }

@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,

     /* set the cofactor (optional) */

     tmp = EC_GROUP_get0_cofactor(group);

     if (tmp != NULL) {

-        ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);

+        ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);

         if (ret->cofactor == NULL) {

+            ret->cofactor = orig;

             ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);

             goto err;

         }

diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c

index 089f2ae29f..ef2d64826f 100644

--- a/crypto/x509v3/v3_asid.c

+++ b/crypto/x509v3/v3_asid.c

@@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor,

 static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)

 {

     ASN1_INTEGER *a_max_plus_one = NULL;

+    ASN1_INTEGER *orig;

     BIGNUM *bn = NULL;

     int i, ret = 0;

@@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)

          */

         if ((bn == NULL && (bn = BN_new()) == NULL) ||

             ASN1_INTEGER_to_BN(a_max, bn) == NULL ||

-            !BN_add_word(bn, 1) ||

-            (a_max_plus_one =

-             BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {

+            !BN_add_word(bn, 1)) {

+            X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,

+                      ERR_R_MALLOC_FAILURE);

+            goto done;

+        }

+

+        if ((a_max_plus_one =

+                BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {

+            a_max_plus_one = orig;

             X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,

                       ERR_R_MALLOC_FAILURE);

             goto done;

@@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid)

 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)

 {

     ASN1_INTEGER *a_max_plus_one = NULL;

+    ASN1_INTEGER *orig;

     BIGNUM *bn = NULL;

     int i, ret = 0;

@@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)

          */

         if ((bn == NULL && (bn = BN_new()) == NULL) ||

             ASN1_INTEGER_to_BN(a_max, bn) == NULL ||

-            !BN_add_word(bn, 1) ||

-            (a_max_plus_one =

-             BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {

+            !BN_add_word(bn, 1)) {

+            X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,

+                      ERR_R_MALLOC_FAILURE);

+            goto done;

+        }

+

+        if ((a_max_plus_one =

+                 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {

+            a_max_plus_one = orig;

             X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,

                       ERR_R_MALLOC_FAILURE);

             goto done;

commit 86ed78676c660b553696cc10c682962522dfeb6c

Author: Tomas Mraz <tmraz@fedoraproject.org>

Date:   Thu Sep 12 12:27:36 2019 +0200

    BIO_f_zlib: Properly handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.

    There can be data to write in output buffer and data to read that were

    not yet read in the input stream.

    Fixes #9866

    Reviewed-by: Richard Levitte <levitte@openssl.org>

    (Merged from https://github.com/openssl/openssl/pull/9877)

    (cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)

diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c

index d688deee5f..7c1be358fd 100644

--- a/crypto/comp/c_zlib.c

+++ b/crypto/comp/c_zlib.c

@@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)

         BIO_copy_next_retry(b);

         break;

+    case BIO_CTRL_WPENDING:

+        if (ctx->obuf == NULL)

+            return 0;

+

+        if (ctx->odone) {

+            ret = ctx->ocount;

+        } else {

+            ret = ctx->ocount;

+            if (ret == 0)

+                /* Unknown amount pending but we are not finished */

+                ret = 1;

+        }

+        if (ret == 0)

+            ret = BIO_ctrl(next, cmd, num, ptr);

+        break;

+

+    case BIO_CTRL_PENDING:

+        ret = ctx->zin.avail_in;

+        if (ret == 0)

+            ret = BIO_ctrl(next, cmd, num, ptr);

+        break;

+

     default:

         ret = BIO_ctrl(next, cmd, num, ptr);

         break;