From 389fb92016d3806dc446363396d464e9c88708ca Mon Sep 17 00:00:00 2001
From: ndossche <7771979+ndossche@users.noreply.github.com>
Date: Tue, 5 May 2026 20:08:00 +0200
Subject: [PATCH] openssl: Add error checks for CMS_get1_certs() and
 CMS_get1_crls()

These allocate new stacks and add the certificates to those as clones.
So these aren't trivial refcount increases and might fail.
Unfortunately, an empty stack also results in a NULL return, so to
distinguish an empty stack from a failure we check the error stack.
---
 ext/openssl/openssl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 6d179cebabda..7eda436a6db4 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -6677,6 +6677,10 @@ PHP_FUNCTION(openssl_cms_read)
 		case NID_pkcs7_signedAndEnveloped:
 			certs = CMS_get1_certs(cms);
 			crls = CMS_get1_crls(cms);
+			if ((!certs || !crls) && ERR_peek_error() != 0) {
+				php_openssl_store_errors();
+				goto clean_exit;
+			}
 			break;
 		default:
 			break;