Free data if sk_OPENSSL_STRING_push fails.

Fixes #26203

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26227)

2 files changed, 12 insertions, 2 deletions

diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c
index 9ba5b31a44..1474474a2d 100644
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -122,7 +122,11 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
                 uris = sk_OPENSSL_STRING_new_null();
                 X509_LOOKUP_set_method_data(ctx, uris);
             }
-            return sk_OPENSSL_STRING_push(uris, data) > 0;
+            if (sk_OPENSSL_STRING_push(uris, data) <= 0) {
+                OPENSSL_free(data);
+                return 0;
+            }
+            return 1;
         }
         /* NOP if no URI is given. */
         return 1;
diff --git a/test/evp_test.c b/test/evp_test.c
index 30a5c85468..4ca11f5829 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -202,7 +202,13 @@ static int ctrladd(STACK_OF(OPENSSL_STRING) *controls, const char *value)
 
     if (data == NULL)
         return -1;
-    return sk_OPENSSL_STRING_push(controls, data) > 0;
+
+    if (sk_OPENSSL_STRING_push(controls, data) <= 0) {
+        OPENSSL_free(data);
+        return -1;
+    }
+
+    return 1;
 }
 
 /* Because OPENSSL_free is a macro, it can't be passed as a function pointer */