Handle empty signed data in PKCS7

This will have certificates and crls return nil instead of segfaulting. Fixes [Bug #19974]
ruby · Oct 26, 2023 · d84a5f2 · d84a5f2
1 parent c9b48f9
commit d84a5f2
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/ext/openssl/ossl_pkcs7.c b/ext/openssl/ossl_pkcs7.c
@@ -609,20 +609,24 @@ static STACK_OF(X509) *
 pkcs7_get_certs(VALUE self)
 {
     PKCS7 *pkcs7;
-    STACK_OF(X509) *certs;
+    STACK_OF(X509) *certs = NULL;
     int i;
 
     GetPKCS7(self, pkcs7);
     i = OBJ_obj2nid(pkcs7->type);
     switch(i){
     case NID_pkcs7_signed:
-        certs = pkcs7->d.sign->cert;
+        if (pkcs7->d.sign) {
+            certs = pkcs7->d.sign->cert;
+        }
         break;
     case NID_pkcs7_signedAndEnveloped:
-        certs = pkcs7->d.signed_and_enveloped->cert;
+        if (pkcs7->d.signed_and_enveloped) {
+            certs = pkcs7->d.signed_and_enveloped->cert;
+        }
         break;
     default:
-        certs = NULL;
+        ; /* nothing */
     }
 
     return certs;
@@ -632,20 +636,24 @@ static STACK_OF(X509_CRL) *
 pkcs7_get_crls(VALUE self)
 {
     PKCS7 *pkcs7;
-    STACK_OF(X509_CRL) *crls;
+    STACK_OF(X509_CRL) *crls = NULL;
     int i;
 
     GetPKCS7(self, pkcs7);
     i = OBJ_obj2nid(pkcs7->type);
     switch(i){
     case NID_pkcs7_signed:
-        crls = pkcs7->d.sign->crl;
+        if (pkcs7->d.sign) {
+            crls = pkcs7->d.sign->crl;
+        }
         break;
     case NID_pkcs7_signedAndEnveloped:
-        crls = pkcs7->d.signed_and_enveloped->crl;
+        if (pkcs7->d.signed_and_enveloped) {
+            crls = pkcs7->d.signed_and_enveloped->crl;
+        }
         break;
     default:
-        crls = NULL;
+        ; /* nothing */
     }
 
     return crls;

diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
@@ -155,6 +155,13 @@ def test_enveloped
     assert_equal(data, p7.decrypt(@rsa1024))
   end
 
+  def test_empty_signed_data_ruby_bug_19974
+    data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"
+    p7 = OpenSSL::PKCS7.new(data)
+    assert_nil p7.certificates
+    assert_nil p7.crls
+  end
+
   def test_graceful_parsing_failure #[ruby-core:43250]
     contents = File.read(__FILE__)
     assert_raise(ArgumentError) { OpenSSL::PKCS7.new(contents) }