From 0f1b96a50a3a79fd699bf34121df8451ffa37b8f Mon Sep 17 00:00:00 2001
From: Matthias Baesken <mbaesken@openjdk.org>
Date: Mon, 26 Jan 2026 11:38:05 +0000
Subject: [PATCH] 8375684: Avoid leak in KeystoreImpl.m when using
 CFArrayCreateMutable

Reviewed-by: clanger
---
 .../macosx/native/libosxsecurity/KeystoreImpl.m | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
index 31572eaeb81..6d8eb832370 100644
--- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
+++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -134,10 +134,11 @@ static OSStatus completeCertChain(
     CFArrayAppendValue(certArray, identity);
 
     /* the single element in certs-to-be-evaluated comes from the identity */
-       ortn = SecIdentityCopyCertificate(identity, &certRef);
-    if(ortn) {
+    ortn = SecIdentityCopyCertificate(identity, &certRef);
+    if (ortn) {
         /* should never happen */
         cssmPerror("SecIdentityCopyCertificate", ortn);
+        CFRelease(certArray);
         return ortn;
     }
 
@@ -283,6 +284,7 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
     OSStatus err = SecIdentitySearchCreate(NULL, 0, &identitySearch);
     SecIdentityRef theIdentity = NULL;
     OSErr searchResult = noErr;
+    CFArrayRef certChain = NULL;
 
     do {
         searchResult = SecIdentitySearchCopyNext(identitySearch, &theIdentity);
@@ -291,7 +293,6 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
             // Get the cert from the identity, then generate a chain.
             SecCertificateRef certificate;
             SecIdentityCopyCertificate(theIdentity, &certificate);
-            CFArrayRef certChain = NULL;
 
             // *** Should do something with this error...
             err = completeCertChain(theIdentity, NULL, TRUE, &certChain);
@@ -357,6 +358,11 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
             if ((*env)->ExceptionCheck(env)) {
                 goto errOut;
             }
+
+            if (certChain != NULL) {
+                CFRelease(certChain);
+                certChain = NULL;
+            }
         }
     } while (searchResult == noErr);
 
@@ -364,6 +370,9 @@ errOut:
     if (identitySearch != NULL) {
         CFRelease(identitySearch);
     }
+    if (certChain != NULL) {
+        CFRelease(certChain);
+    }
 }
 
 #define ADD(list, str) { \