Commit a95b21c556 for asterisk.org

commit a95b21c556dc344cfafcafa83ee688daa4400b98
Author: Mike Bradeen <mbradeen@sangoma.com>
Date:   Wed May 6 16:33:43 2026 -0600

    res_stir_shaken: fix memory free crash when Asterisk is built with malloc_debug

    crypto_utils uses ast_asprintf to allocate the search string when checking the
    certificate subject, but was not using ast_free to free it. This caused a crash
    when Asterisk was built with malloc_debug

    Resolves: #1921

diff --git a/res/res_stir_shaken/crypto_utils.c b/res/res_stir_shaken/crypto_utils.c
index b1671c1593..ce22bf8bc9 100644
--- a/res/res_stir_shaken/crypto_utils.c
+++ b/res/res_stir_shaken/crypto_utils.c
@@ -917,9 +917,15 @@ time_t crypto_asn_time_as_time_t(ASN1_TIME *at)
 char *crypto_get_cert_subject(X509 *cert, const char *short_name)
 {
 	size_t len = 0;
+	/* buffer is allocated via open_memstream, which is outside of Asterisk's
+	   memory management. It therefore must be freed via ast_std_free to
+	   remain independent of MALLOC_DEBUG */
 	RAII_VAR(char *, buffer, NULL, ast_std_free);
+	/* search is allocated via ast_asprintf, which is within Asterisk's
+	   memory management. It therefore must be freed via ast_free or will
+	   cause a crash when used with MALLOC_DEBUG */
+	RAII_VAR(char *, search, NULL, ast_free);
 	char *search_buff = NULL;
-	char *search = NULL;
 	size_t search_len = 0;
 	char *rtn = NULL;
 	char *line = NULL;
@@ -971,7 +977,6 @@ char *crypto_get_cert_subject(X509 *cert, const char *short_name)
 		}
 	}

-	ast_std_free(search);
 	return rtn;
 }