From 4fb09446d6e86bc1b2a938e252f1133154f854c2 Mon Sep 17 00:00:00 2001
From: ndossche <7771979+ndossche@users.noreply.github.com>
Date: Wed, 25 Feb 2026 20:15:43 +0100
Subject: [PATCH] Fix missing error check on BIO_get_mem_ptr()

LibreSSL docs state this can fail. OpenSSL has no docs for this, but the
implementation goes via BIO_ctrl() which can fail (e.g. via a callback).
Example Valgrind trace:
```
Invalid read of size 1
  memmove (at /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  memcpy (string_fortified.h:29)
  ossl_str_new (ossl.c:107)
  ossl_membio2str (ossl_bio.c:36)
  ossl_x509ext_get_value (ossl_x509ext.c:390)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  rb_vm_exec (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  rb_catch_obj (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  rb_vm_exec (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_yield (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_ary_each (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  rb_vm_exec (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_yield (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_ary_each (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  rb_vm_exec (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_yield (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_ary_each (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  rb_vm_exec (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  rb_catch_obj (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  rb_vm_exec (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_vm_invoke_proc (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  rb_proc_call_kw (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  <unknown stack frame>
  <unknown stack frame>
  ruby_run_node (at /usr/lib/x86_64-linux-gnu/libruby-3.2.so.3.2.3)
  <unknown stack frame>
  (below main) (libc_start_call_main.h:58)
```
---
 ext/openssl/ossl_bio.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ext/openssl/ossl_bio.c b/ext/openssl/ossl_bio.c
index 4edde5091..cc03c5d5f 100644
--- a/ext/openssl/ossl_bio.c
+++ b/ext/openssl/ossl_bio.c
@@ -32,7 +32,11 @@ ossl_membio2str(BIO *bio)
     int state;
     BUF_MEM *buf;
 
-    BIO_get_mem_ptr(bio, &buf);
+    if (BIO_get_mem_ptr(bio, &buf) <= 0) {
+        BIO_free(bio);
+        ossl_raise(eOSSLError, "BIO_get_mem_ptr");
+    }
+
     ret = ossl_str_new(buf->data, buf->length, &state);
     BIO_free(bio);
     if (state)