From 0d2874b37a6b1da258aac81bd647fc02cbdf5547 Mon Sep 17 00:00:00 2001
From: YZL0v3ZZ <2055877225@qq.com>
Date: Wed, 11 Mar 2026 21:48:14 +0800
Subject: [PATCH] Fix resource leak in crls_http_cb()

When the function fails to push the second CRL to the stack, it
incorrectly uses sk_X509_CRL_free() instead of sk_X509_CRL_pop_free().
This destroys the stack container but orphans previously pushed
X509_CRL objects.

Replace it with sk_X509_CRL_pop_free passing X509_CRL_free as the
cleanup routine to ensure deep deallocation of any pushed items.

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30372)
---
 apps/lib/apps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index e8d868f314..8747c03028 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2677,7 +2677,7 @@ static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
 
 error:
     X509_CRL_free(crl);
-    sk_X509_CRL_free(crls);
+    sk_X509_CRL_pop_free(crls, X509_CRL_free);
     return NULL;
 }