We can't check policy if we got an empty stack of certs

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25186)
author: Dmitry Belyavskiy <beldmit@gmail.com> 2024-08-14 14:40:39 +0200
committer: Dmitry Belyavskiy <beldmit@gmail.com> 2024-08-17 18:09:15 +0200
commit: 8d28402ce38842e8aca9e0ce26ae44fa10c7b62e (patch)
tree: 3503abdf4e43c9be6c5e8b3d9f6d3bed195ea19a
parent: 7c3c7374ce8676331770a8f9bbc1452bbdacf3be (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
index d7307b12da..86e3afc881 100644
--- a/crypto/x509/pcy_tree.c
+++ b/crypto/x509/pcy_tree.c
@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 
     *ptree = NULL;
 
+    if (n < 0)
+        return X509_PCY_TREE_INTERNAL;
     /* Can't do anything with just a trust anchor */
     if (n == 0)
         return X509_PCY_TREE_EMPTY;
author	Dmitry Belyavskiy <beldmit@gmail.com>	2024-08-14 14:40:39 +0200
committer	Dmitry Belyavskiy <beldmit@gmail.com>	2024-08-17 18:09:15 +0200
commit	8d28402ce38842e8aca9e0ce26ae44fa10c7b62e (patch)
tree	3503abdf4e43c9be6c5e8b3d9f6d3bed195ea19a
parent	7c3c7374ce8676331770a8f9bbc1452bbdacf3be (diff)