From 6ec036bfdceadc4ca72f27d4369dfded0c194a19 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Sun, 22 Nov 2015 08:53:20 +0000
Subject: Don't hand null pointer to OpenSSL if we can't find a plausible
 issuer.  Not sure we really need the complex issuer-finding code at all
 anymore, but dumping core is not an appropriate form of social criticism.

svn path=/branches/tk705/; revision=6183
---
 ext/POW.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ext')

diff --git a/ext/POW.c b/ext/POW.c
index 969dd3fb..72eac014 100644
--- a/ext/POW.c
+++ b/ext/POW.c
@@ -1485,6 +1485,7 @@ static int check_x509(X509 *x,
    */
 
 #warning Why are we not checking the critical flag on these extensions?
+#warning We may need to check that these extensions only contain URIs
 
   if ((aia = X509_get_ext_d2i(x, NID_info_access, NULL, NULL)) != NULL)
     ex_count--;
@@ -3581,7 +3582,8 @@ x509_object_verify(x509_object *self, PyObject *args, PyObject *kwds)
         if (X509_check_issued((issuer = sk_X509_value(untrusted_stack, i)), self->x509) != 0)
           issuer = NULL;
 
-    is_ta = (sk_X509_num(trusted_stack) == 1 && 
+    is_ta = (issuer != NULL &&
+             sk_X509_num(trusted_stack) == 1 && 
              sk_X509_num(untrusted_stack) == 0 &&
              X509_cmp(issuer, self->x509) == 0);
 
-- 
cgit v1.2.3