Commit b44fd71741 for openssl.org

commit b44fd71741b7b5092c087d227b32298c7fedb520
Author: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date:   Tue Apr 21 10:32:50 2026 +0900

    pkcs7: Fix negative index handling in PKCS7_get_issuer_and_serial()

    Reject negative indices before looking up the recipient info stack
    entry.  This makes negative out-of-range indices match the existing
    behavior for too-large positive indices and avoids dereferencing
    a NULL recipient info.

    Add a regression test for the negative index case.

    Resolves: https://github.com/openssl/openssl/issues/30910

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
    MergeDate: Wed Jun 24 09:10:22 2026
    (Merged from https://github.com/openssl/openssl/pull/30914)

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 7b6a3b36b4..1878b4aac2 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1171,7 +1171,7 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
     rsk = p7->d.signed_and_enveloped->recipientinfo;
     if (rsk == NULL)
         return NULL;
-    if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
+    if (idx < 0 || sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
         return NULL;
     ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
     return ri->issuer_and_serial;
diff --git a/test/pkcs7_test.c b/test/pkcs7_test.c
index adf069695e..3fe68f60aa 100644
--- a/test/pkcs7_test.c
+++ b/test/pkcs7_test.c
@@ -15,6 +15,30 @@
 #include "internal/nelem.h"
 #include "testutil.h"

+static int pkcs7_issuer_and_serial_negative_idx_test(void)
+{
+    PKCS7 *p7 = NULL;
+    PKCS7_RECIP_INFO *ri = NULL;
+    int ret = 0;
+
+    if (!TEST_ptr(p7 = PKCS7_new())
+        || !TEST_true(PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped))
+        || !TEST_ptr(ri = PKCS7_RECIP_INFO_new())
+        || !TEST_true(PKCS7_add_recipient_info(p7, ri)))
+        goto end;
+    ri = NULL;
+
+    if (!TEST_ptr(PKCS7_get_issuer_and_serial(p7, 0))
+        || !TEST_ptr_null(PKCS7_get_issuer_and_serial(p7, -1)))
+        goto end;
+
+    ret = 1;
+end:
+    PKCS7_RECIP_INFO_free(ri);
+    PKCS7_free(p7);
+    return ret;
+}
+
 #ifndef OPENSSL_NO_EC
 static const unsigned char cert_der[] = {
     0x30, 0x82, 0x01, 0x51, 0x30, 0x81, 0xf7, 0xa0, 0x03, 0x02, 0x01, 0x02,
@@ -389,6 +413,7 @@ end:

 int setup_tests(void)
 {
+    ADD_TEST(pkcs7_issuer_and_serial_negative_idx_test);
 #ifndef OPENSSL_NO_EC
     ADD_TEST(pkcs7_verify_test);
     ADD_TEST(pkcs7_inner_content_verify_test);