From 16b352675cfdab6154403fd3d559e6c694d96dc8 Mon Sep 17 00:00:00 2001
From: K1 <dongbeiouba@gmail.com>
Date: Thu, 20 Jun 2024 17:53:29 +0800
Subject: [PATCH] Fix coverity issues, CID 471315 and 356192

471315, EC_POINTS_new: Reads target of a freed pointer

356192, pkey_dh_derive: Out-of-bounds access to a buffer
---
 crypto/dh/dh_pmeth.c | 2 +-
 crypto/ec/ec_lib.c   | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 1ad50b850..ea344fbb0 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -432,7 +432,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
     else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
 
         unsigned char *Z = NULL;
-        size_t Zlen = 0;
+        int Zlen = 0;
         if (!dctx->kdf_outlen || !dctx->kdf_oid)
             return 0;
         if (key == NULL) {
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index e92f582db..62d3b5d56 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -795,8 +795,10 @@ EC_POINTS *EC_POINTS_new(const EC_GROUP *group, int count)
 
     for (i = 0; i < count; i++) {
         point = EC_POINT_new(group);
-        if (point == NULL)
+        if (point == NULL) {
             EC_POINTS_free(ret);
+            return NULL;
+        }
 
         ret->items[i] = point;
     }