8376300: Avoid more leaks in KeystoreImpl.m because of missing CFRelease calls

Reviewed-by: weijun, clanger
2026-04-27 23:31:47 +00:00 · 2026-04-24 06:56:32 +00:00 · 2026-04-24 06:56:32 +00:00 · d32eb4b47e
commit d32eb4b47e
parent a0caf2c7bf
1 changed files with 15 additions and 3 deletions
--- a/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
+++ b/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
@ -292,7 +292,10 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
        if (searchResult == noErr) {
            // Get the cert from the identity, then generate a chain.
            SecCertificateRef certificate;
-            SecIdentityCopyCertificate(theIdentity, &certificate);
+            OSStatus res = SecIdentityCopyCertificate(theIdentity, &certificate);
+            if (res != errSecSuccess) {
+                goto errOut;
+            }

            // *** Should do something with this error...
            err = completeCertChain(theIdentity, NULL, TRUE, &certChain);
@ -302,18 +305,21 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
            // Make a java array of certificate data from the chain.
            jclass byteArrayClass = (*env)->FindClass(env, "[B");
            if (byteArrayClass == NULL) {
+                CFRelease(certificate);
                goto errOut;
            }
            jobjectArray javaCertArray = (*env)->NewObjectArray(env, certCount, byteArrayClass, NULL);
            // Cleanup first then check for a NULL return code
            (*env)->DeleteLocalRef(env, byteArrayClass);
            if (javaCertArray == NULL) {
+                CFRelease(certificate);
                goto errOut;
            }

            // And, make an array of the certificate refs.
            jlongArray certRefArray = (*env)->NewLongArray(env, certCount);
            if (certRefArray == NULL) {
+                CFRelease(certificate);
                goto errOut;
            }

@ -322,10 +328,12 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
            for (i = 0; i < certCount; i++) {
                CSSM_DATA currCertData;

-                if (i == 0)
+                if (i == 0) {
                    currCertRef = certificate;
-                else
+                } else {
                    currCertRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, i);
+                    CFRetain(currCertRef);
+                }

                bzero(&currCertData, sizeof(CSSM_DATA));
                err = SecCertificateGetData(currCertRef, &currCertData);
@ -342,10 +350,14 @@ static void addIdentitiesToKeystore(JNIEnv *env, jobject keyStore, jmethodID jm_
            // Get the private key.  When needed we'll export the data from it later.
            SecKeyRef privateKeyRef;
            err = SecIdentityCopyPrivateKey(theIdentity, &privateKeyRef);
+            if (err != errSecSuccess) {
+                goto errOut;
+            }

            // Find the label.  It's a 'blob', but we interpret as characters.
            jstring alias = getLabelFromItem(env, (SecKeychainItemRef)certificate);
            if (alias == NULL) {
+                CFRelease(privateKeyRef);
                goto errOut;
            }