--- h:\prj\1original\openssl\openssl\crypto\x509v3\v3_pci.c	2009-08-24 16:57:49.000000000 +-0200
+++ h:\prj\3actual\openssl\crypto\x509v3\v3_pci.c	2009-08-24 18:54:25.000000000 +-0200
@@ -108,13 +108,13 @@
 			return 0;
 			}
 		}
 	else if (strcmp(val->name, "policy") == 0)
 		{
 		unsigned char *tmp_data = NULL;
-		long val_len;
+		size_t val_len;
 		if (!*policy)
 			{
 			*policy = ASN1_OCTET_STRING_new();
 			if (!*policy)
 				{
 				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
@@ -125,24 +125,40 @@
 			}
 		if (strncmp(val->value, "hex:", 4) == 0)
 			{
 			unsigned char *tmp_data2 =
 				string_to_hex(val->value + 4, &val_len);
 
-			if (!tmp_data2) goto err;
+			if (!tmp_data2) 
+				{
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_ILLEGAL_HEX);
+				X509V3_conf_err(val);
+				goto err;
+				}
 
 			tmp_data = OPENSSL_realloc((*policy)->data,
 				(*policy)->length + val_len + 1);
 			if (tmp_data)
 				{
 				(*policy)->data = tmp_data;
 				memcpy(&(*policy)->data[(*policy)->length],
 					tmp_data2, val_len);
 				(*policy)->length += val_len;
 				(*policy)->data[(*policy)->length] = '\0';
 				}
+			else
+				{
+				OPENSSL_free(tmp_data2);
+				/* realloc failure implies the original data space is b0rked too! */
+				(*policy)->data = NULL;
+				(*policy)->length = 0;
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				goto err;
+				}
+			OPENSSL_free(tmp_data2); /* [i_a] fix memleak */
 			}
 		else if (strncmp(val->value, "file:", 5) == 0)
 			{
 			unsigned char buf[2048];
 			int n;
 			BIO *b = BIO_new_file(val->value + 5, "r");
@@ -166,12 +182,13 @@
 				(*policy)->data = tmp_data;
 				memcpy(&(*policy)->data[(*policy)->length],
 					buf, n);
 				(*policy)->length += n;
 				(*policy)->data[(*policy)->length] = '\0';
 				}
+			BIO_free_all(b); /* [i_a] leak fix */
 
 			if (n < 0)
 				{
 				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_BIO_LIB);
 				X509V3_conf_err(val);
 				goto err;
@@ -186,12 +203,21 @@
 				{
 				(*policy)->data = tmp_data;
 				memcpy(&(*policy)->data[(*policy)->length],
 					val->value + 5, val_len);
 				(*policy)->length += val_len;
 				(*policy)->data[(*policy)->length] = '\0';
+				}
+			else
+				{
+				/* realloc failure implies the original data space is b0rked too! */
+				(*policy)->data = NULL;
+				(*policy)->length = 0;
+				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				goto err;
 				}
 			}
 		else
 			{
 			X509V3err(X509V3_F_PROCESS_PCI_VALUE,X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
 			X509V3_conf_err(val);