Fix memory leak in openssl_x509_parse()

mszabo-wikia · mszabo-wikia · commit 09e51447f2e5 · 2026-02-09T15:46:53.000+01:00
If called with a `NULL` buffer argument, `X509_NAME_oneline` returns a pointer to an owned buffer that the caller is responsible for freeing. OpenSSL 3.x documents this expectation[1] and existing 1.1.1 usage concurs.[2] [1] https://docs.openssl.org/master/man3/X509_NAME_print_ex/ [2] https://github.com/openssl/openssl/blob/e04bd3433fd84e1861bf258ea37928d9845e6a86/crypto/x509/x_name.c#L498
diff --git a/hphp/runtime/ext/openssl/ext_openssl.cpp b/hphp/runtime/ext/openssl/ext_openssl.cpp
@@ -2772,7 +2772,11 @@ Variant HHVM_FUNCTION(openssl_x509_parse, const Variant& x509cert,
   auto ret = Array::CreateDict();
   const auto sn = X509_get_subject_name(cert);
   if (sn) {
-    ret.set(s_name, String(X509_NAME_oneline(sn, nullptr, 0), CopyString));
+    char* subjectName = X509_NAME_oneline(sn, nullptr, 0);
+    SCOPE_EXIT {
+      OPENSSL_free(subjectName);
+    };
+    ret.set(s_name, String(subjectName, CopyString));
   }
   add_assoc_name_entry(ret, "subject", sn, shortnames);
   /* hash as used in CA directories to lookup cert by subject name */
