Commit 669815e846 for openssl.org

commit 669815e846321e76cffae21ebf08008a20e132e9
Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date:   Thu Jul 3 19:26:48 2025 +0000

    fuzz/cmp.c: Correct the usages of BIO_new()

    Use BIO_free() to free "in" if error occurs to avoid memory leak.
    Moreover, add check for "out" to avoid NULL pointer dereference.
    Also replace OPENSSL_assert with return.

    Fixes: e599d0a ("Add CMP fuzzing to fuzz/cmp.c, including a couple of helpers in crypto/cmp/")
    Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>

    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Mon Jan 12 18:40:14 2026
    (Merged from https://github.com/openssl/openssl/pull/27920)

diff --git a/fuzz/cmp.c b/fuzz/cmp.c
index 698c352a5b..b2b7d98081 100644
--- a/fuzz/cmp.c
+++ b/fuzz/cmp.c
@@ -176,13 +176,26 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
         return 0;

     in = BIO_new(BIO_s_mem());
-    OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+    if ((size_t)BIO_write(in, buf, (int)len) != len) {
+        BIO_free(in);
+        return 0;
+    }
+
     msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
     if (msg != NULL) {
         BIO *out = BIO_new(BIO_s_null());
         OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
         OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);

+        if (out == NULL) {
+            OSSL_CMP_CTX_free(client_ctx);
+            OSSL_CMP_SRV_CTX_free(srv_ctx);
+            OSSL_CMP_MSG_free(msg);
+            BIO_free(in);
+            ERR_clear_error();
+            return 0;
+        }
+
         i2d_OSSL_CMP_MSG_bio(out, msg);
         ASN1_item_print(out, (ASN1_VALUE *)msg, 4,
             ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL);