From 3deaf7606b700346efe6397451234c1c086628fe Mon Sep 17 00:00:00 2001
From: Samuel Chiang <sachiang@amazon.com>
Date: Tue, 4 Feb 2025 22:23:08 +0000
Subject: [PATCH] Add null check for mac_salt

---
 crypto/pkcs8/pkcs8_x509.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c
index efd80fba17..a0bdb4b5e9 100644
--- a/crypto/pkcs8/pkcs8_x509.c
+++ b/crypto/pkcs8/pkcs8_x509.c
@@ -1386,6 +1386,9 @@ int PKCS12_set_mac(PKCS12 *p12, const char *password, int password_len,
   }
   // Generate |mac_salt| if |salt| is NULL and copy if NULL.
   uint8_t *mac_salt = OPENSSL_malloc(salt_len);
+  if (mac_salt == NULL) {
+    goto out;
+  }
   if (salt == NULL) {
     if (!RAND_bytes(mac_salt, salt_len)) {
       goto out;
@@ -1454,7 +1457,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *password, int password_len,
   // Verify that the new password is consistent with the original. This is
   // behavior specific to AWS-LC.
   OPENSSL_free(p12->ber_bytes);
-  if(!CBB_finish(&cbb, &p12->ber_bytes, &p12->ber_len) ||
+  if (!CBB_finish(&cbb, &p12->ber_bytes, &p12->ber_len) ||
       !PKCS12_verify_mac(p12, password, password_len)) {
     CBB_cleanup(&cbb);
     goto out;