From fade782e586bafb41b7f5af29d4c8f4103dd9394 Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Wed, 18 Jan 2023 13:39:18 +0100
Subject: [PATCH] Fix memory leak in stream_handle(), CID 1519397, 1519388,
 1519402, 1519403

---
 msi.c          | 24 +++++++++++++++++-------
 osslsigncode.c |  6 ++----
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/msi.c b/msi.c
index f1f7df8..d0f5b71 100644
--- a/msi.c
+++ b/msi.c
@@ -866,14 +866,19 @@ static uint32_t stream_read(MSI_FILE *msi, MSI_ENTRY *entry, u_char *p_msi, uint
 		u_char *p_msiex, uint32_t len_msiex, char **indata, uint32_t inlen, int is_root)
 {
 	if (is_root && !memcmp(entry->name, digital_signature, sizeof digital_signature)) {
-		*indata = (char *)p_msi;
+		/* DigitalSignature */
 		inlen = len_msi;
+		*indata = OPENSSL_malloc((size_t)inlen);
+		memcpy(*indata, p_msi, (size_t)inlen);
 	} else if (is_root && !memcmp(entry->name, digital_signature_ex, sizeof digital_signature_ex)) {
-		*indata = (char *)p_msiex;
+		/* MsiDigitalSignatureEx */
 		inlen = len_msiex;
-	} else {
+		*indata = OPENSSL_malloc((size_t)inlen);
+		memcpy(*indata, p_msiex, (size_t)inlen);
+	} else if (inlen != 0) {
+		*indata = (char *)OPENSSL_malloc(inlen);
 		if (!msi_file_read(msi, entry, 0, *indata, inlen)) {
-			printf("Failed to read stream data\n");
+			OPENSSL_free(indata);
 			return 0; /* FAILED */
 		}
 	}
@@ -901,12 +906,17 @@ static int stream_handle(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, uint3
 				return 0; /* FAILED */
 			}
 		} else { /* DIR_STREAM */
-			uint32_t inlen = GET_UINT32_LE(child->entry->size);
-			char *indata = (char *)OPENSSL_malloc(inlen);
 			char buf[MAX_SECTOR_SIZE];
-
+			char *indata;
+			uint32_t inlen = GET_UINT32_LE(child->entry->size);
+			if (inlen >= MAXREGSECT) {
+				printf("Corrupted stream length 0x%08X\n", inlen);
+				return 0; /* FAILED */
+			}
+			/* DigitalSignature or MsiDigitalSignatureEx: inlen == 0 */
 			inlen = stream_read(msi, child->entry, p_msi, len_msi, p_msiex, len_msiex, &indata, inlen, is_root);
 			if (inlen == 0) {
+				printf("Failed to read stream data\n");
 				continue;
 			}
 			/* set the size of the user-defined data if this is a stream object */
diff --git a/osslsigncode.c b/osslsigncode.c
index 6f6d018..43b5577 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -4776,10 +4776,7 @@ static int append_signature(PKCS7 *sig, PKCS7 *cursig, file_type_t type,
 			BIO_write(outdata, p, *padlen);
 		}
 	} else if (type == FILE_TYPE_MSI) {
-		int len_msi = *len;
-		u_char *p_msi = OPENSSL_malloc((size_t)len_msi);
-		memcpy(p_msi, p, (size_t)len_msi);
-		if (!msi_file_write(msiparams->msi, msiparams->dirent, p_msi, (uint32_t)len_msi,
+		if (!msi_file_write(msiparams->msi, msiparams->dirent, p, (uint32_t)*len,
 				msiparams->p_msiex, (uint32_t)msiparams->len_msiex, outdata)) {
 			printf("Saving the msi file failed\n");
 			OPENSSL_free(p);
@@ -5484,6 +5481,7 @@ static void free_msi_params(MSI_PARAMS *msiparams)
 {
 	msi_file_free(msiparams->msi);
 	msi_dirent_free(msiparams->dirent);
+	OPENSSL_free(msiparams->p_msiex);
 }
 
 static void free_crypto_params(CRYPTO_PARAMS *cparams)