A tiny patch for a giant function. This kind of looks right, based on some other examples in the function, but it's hard to say for sure since this one function (X509_verify_cert; is that important?) has about a dozen different exit points which free or don't free any number of variables, stacks, chains, etc.
Index: x509_vfy.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/x509/x509_vfy.c,v retrieving revision 1.27 diff -u -p -r1.27 x509_vfy.c --- x509_vfy.c 12 Jun 2014 15:49:31 -0000 1.27 +++ x509_vfy.c 18 Jun 2014 18:09:51 -0000 @@ -313,7 +313,11 @@ X509_verify_cert(X509_STORE_CTX *ctx) ctx->current_cert = x; } else { - sk_X509_push(ctx->chain, chain_ss); + if (!sk_X509_push(ctx->chain, chain_ss)) { + X509_free(chain_ss); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + return 0; + } num++; ctx->last_untrusted = num; ctx->current_cert = chain_ss;