Commit 2c13bf1528 for openssl.org
commit 2c13bf15286328641a805eb3b7c97e27d42881fb
Author: Andrew Dinh <andrewd@openssl.org>
Date: Thu Jan 8 01:24:30 2026 +0900
PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
Fixes CVE-2025-69421
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:56:08 2026
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 0745bc9b08..ec1d2ee54a 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -146,6 +146,11 @@ void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it,
void *ret;
int outlen = 0;
+ if (oct == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+
if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length,
&out, &outlen, 0, libctx, propq))
return NULL;