Commit 6e22081cbd for openssl.org

commit 6e22081cbd1596d83bbfea6a90a68f026cf372ec
Author: Alexandr Nedvedicky <sashan@openssl.org>
Date:   Thu Feb 26 10:59:37 2026 +0100

    copy_email() may leak memory when asked to move data
    instead of copy

    Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1681722

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    MergeDate: Mon Mar  2 12:51:48 2026
    (Merged from https://github.com/openssl/openssl/pull/30192)

diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 247fe0a1ae..3dcd0b026e 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -439,9 +439,6 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
     while ((i = X509_NAME_get_index_by_NID(nm,
                 NID_pkcs9_emailAddress, i))
         >= 0) {
-        /* XXX Casts away const */
-        ne = (X509_NAME_ENTRY *)X509_NAME_get_entry(nm, i);
-        email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
         if (move_p) {
             /* We should really not support deleting things in a const object
              * to rip the pointer out of it. If we truly want a new object
@@ -449,6 +446,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
              */
             return 0;
         }
+        /* XXX Casts away const */
+        ne = (X509_NAME_ENTRY *)X509_NAME_get_entry(nm, i);
+        email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
         if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
             ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
             goto err;