Commit b44fd71741 for openssl.org
commit b44fd71741b7b5092c087d227b32298c7fedb520
Author: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Tue Apr 21 10:32:50 2026 +0900
pkcs7: Fix negative index handling in PKCS7_get_issuer_and_serial()
Reject negative indices before looking up the recipient info stack
entry. This makes negative out-of-range indices match the existing
behavior for too-large positive indices and avoids dereferencing
a NULL recipient info.
Add a regression test for the negative index case.
Resolves: https://github.com/openssl/openssl/issues/30910
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
MergeDate: Wed Jun 24 09:10:22 2026
(Merged from https://github.com/openssl/openssl/pull/30914)
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 7b6a3b36b4..1878b4aac2 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1171,7 +1171,7 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
rsk = p7->d.signed_and_enveloped->recipientinfo;
if (rsk == NULL)
return NULL;
- if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
+ if (idx < 0 || sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
return NULL;
ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
return ri->issuer_and_serial;
diff --git a/test/pkcs7_test.c b/test/pkcs7_test.c
index adf069695e..3fe68f60aa 100644
--- a/test/pkcs7_test.c
+++ b/test/pkcs7_test.c
@@ -15,6 +15,30 @@
#include "internal/nelem.h"
#include "testutil.h"
+static int pkcs7_issuer_and_serial_negative_idx_test(void)
+{
+ PKCS7 *p7 = NULL;
+ PKCS7_RECIP_INFO *ri = NULL;
+ int ret = 0;
+
+ if (!TEST_ptr(p7 = PKCS7_new())
+ || !TEST_true(PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped))
+ || !TEST_ptr(ri = PKCS7_RECIP_INFO_new())
+ || !TEST_true(PKCS7_add_recipient_info(p7, ri)))
+ goto end;
+ ri = NULL;
+
+ if (!TEST_ptr(PKCS7_get_issuer_and_serial(p7, 0))
+ || !TEST_ptr_null(PKCS7_get_issuer_and_serial(p7, -1)))
+ goto end;
+
+ ret = 1;
+end:
+ PKCS7_RECIP_INFO_free(ri);
+ PKCS7_free(p7);
+ return ret;
+}
+
#ifndef OPENSSL_NO_EC
static const unsigned char cert_der[] = {
0x30, 0x82, 0x01, 0x51, 0x30, 0x81, 0xf7, 0xa0, 0x03, 0x02, 0x01, 0x02,
@@ -389,6 +413,7 @@ end:
int setup_tests(void)
{
+ ADD_TEST(pkcs7_issuer_and_serial_negative_idx_test);
#ifndef OPENSSL_NO_EC
ADD_TEST(pkcs7_verify_test);
ADD_TEST(pkcs7_inner_content_verify_test);