4 files changed, 7 insertions, 2 deletions

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 85ae928..b14b4b6 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -195,7 +195,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
     ok = 1;
 
  err:
-    if (ec->key && !keep_key) {
+    if (ec->key && (!keep_key || !ok)) {
         OPENSSL_cleanse(ec->key, ec->keylen);
         OPENSSL_free(ec->key);
         ec->key = NULL;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index a8322dc..b91c016 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -121,6 +121,9 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
 
     /* Setup algorithm identifier for cipher */
     encalg = X509_ALGOR_new();
+    if (encalg == NULL) {
+        goto merr;
+    }
     EVP_CIPHER_CTX_init(&ctx);
 
     if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0) {
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 721ffd5..a41aca8 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -857,6 +857,8 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain)
     } else {
         const EVP_MD *md = EVP_MD_CTX_md(&mctx);
         pkctx = EVP_PKEY_CTX_new(si->pkey, NULL);
+        if (pkctx == NULL)
+            goto err;
         if (EVP_PKEY_verify_init(pkctx) <= 0)
             goto err;
         if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0)
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 5522a37..07e3472 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -754,7 +754,7 @@ int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags)
     BIO *cmsbio;
     int ret = 0;
     if (!(cmsbio = CMS_dataInit(cms, dcont))) {
-        CMSerr(CMS_F_CMS_FINAL, ERR_R_MALLOC_FAILURE);
+        CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_LIB);
         return 0;
     }