Index: /branches/rel_ag_9_4_5/ssl-111/Makefile
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/Makefile	(revision 20647)
+++ /branches/rel_ag_9_4_5/ssl-111/Makefile	(working copy)
@@ -24,6 +24,11 @@
 PATCH15=openssl-1.1.1d-CVE-2022-0778.patch
 PATCH16=ocsp_retry.patch
 PATCH17=openssl-1.1.1d-CVE-2026-22795.patch
+PATCH18=openssl-1.1.1d-CVE-2025-69419.patch
+PATCH19=openssl-1.1.1d-CVE-2025-69420.patch
+PATCH20=openssl-1.1.1d-CVE-2025-69421.patch
+PATCH21=openssl-1.1.1d-CVE-2025-69418.patch
+PATCH22=openssl-1.1.1d-CVE-2025-68160.patch
 #PATCHx=openssl-1.1.1d-bug102140.patch
 
 INST_LIB= $(OPENSSL_LIB)
@@ -59,7 +64,12 @@
 	patch -p1 < ../d_patch/$(PATCH14) && \
 	patch -p1 < ../d_patch/$(PATCH15) && \
 	patch -p1 < ../d_patch/$(PATCH16) && \
-	patch -p1 < ../d_patch/$(PATCH17);
+	patch -p1 < ../d_patch/$(PATCH17) && \
+	patch -p1 < ../d_patch/$(PATCH18) && \
+	patch -p1 < ../d_patch/$(PATCH19) && \
+	patch -p1 < ../d_patch/$(PATCH20) && \
+	patch -p1 < ../d_patch/$(PATCH21) && \
+	patch -p1 < ../d_patch/$(PATCH22);
 	cd openssl && \
 	/usr/local/bin/perl5.10.1 Configure BSD-x86_64 --prefix=$(PWD)/../$(CA_ROOT) --openssldir=$(PWD)/../$(CA_ROOT)/ssl-111 $(OPENSSL_OPT) && \
 	cd ..;
Index: /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-68160.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-68160.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-68160.patch	(working copy)
@@ -0,0 +1,75 @@
+From b21663c35a6f0ed4c8de06855bdc7a6a21f00c2f Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 7 Jan 2026 11:52:09 -0500
+Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When a FIO_f_linebuffer is part of a bio chain, and the next BIO
+preforms short writes, the remainder of the unwritten buffer is copied
+unconditionally to the internal buffer ctx->obuf, which may not be
+sufficiently sized to handle the remaining data, resulting in a buffer
+overflow.
+
+Fix it by only copying data when ctx->obuf has space, flushing to the
+next BIO to increase available storage if needed.
+
+Fixes openssl/srt#48
+
+Fixes CVE-2025-68160
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:41:40 2026
+---
+ crypto/bio/bf_lbuf.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
+index 6c0e57f8a3918..77ad96a9b9dc5 100644
+--- a/crypto/bio/bf_lbuf.c
++++ b/crypto/bio/bf_lbuf.c
+@@ -191,14 +191,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
+     while (foundnl && inl > 0);
+     /*
+      * We've written as much as we can.  The rest of the input buffer, if
+-     * any, is text that doesn't and with a NL and therefore needs to be
+-     * saved for the next trip.
++     * any, is text that doesn't end with a NL and therefore we need to try
++     * free up some space in our obuf so we can make forward progress.
+      */
+-    if (inl > 0) {
+-        memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+-        ctx->obuf_len += inl;
+-        num += inl;
++    while (inl > 0) {
++        size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len;
++        size_t to_copy;
++
++        if (avail == 0) {
++            /* Flush buffered data to make room */
++            i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
++            if (i <= 0) {
++                BIO_copy_next_retry(b);
++                return num > 0 ? num : i;
++            }
++            if (i < ctx->obuf_len)
++                memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
++            ctx->obuf_len -= i;
++            continue;
++        }
++
++        to_copy = inl > (int)avail ? avail : (size_t)inl;
++        memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy);
++        ctx->obuf_len += (int)to_copy;
++        in += to_copy;
++        inl -= (int)to_copy;
++        num += (int)to_copy;
+     }
++
+     return num;
+ }
+
Index: /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69418.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69418.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69418.patch	(working copy)
@@ -0,0 +1,72 @@
+From be9375d5d45dfaf897b56ef148a0b58402491fcb Mon Sep 17 00:00:00 2001
+From: Norbert Pocs <norbertp@openssl.org>
+Date: Thu, 8 Jan 2026 15:04:54 +0100
+Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted
+ trailing bytes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path
+encrypts/decrypts full blocks but does not advance in/out pointers. The
+tail-handling code then operates on the base pointers, effectively reprocessing
+the beginning of the buffer while leaving the actual trailing bytes
+unencrypted (encryption) or using the wrong plaintext (decryption). The
+authentication checksum excludes the true tail.
+
+CVE-2025-69418
+
+Fixes: https://github.com/openssl/srt/issues/58
+
+Signed-off-by: Norbert Pocs <norbertp@openssl.org>
+
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:48:35 2026
+---
+ crypto/modes/ocb128.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c
+index ce72baf6da5a7..8a5d7c7db00b5 100644
+--- a/crypto/modes/ocb128.c
++++ b/crypto/modes/ocb128.c
+@@ -342,7 +342,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
+
+     if (num_blocks && all_num_blocks == (size_t)all_num_blocks
+         && ctx->stream != NULL) {
+-        size_t max_idx = 0, top = (size_t)all_num_blocks;
++        size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
+
+         /*
+          * See how many L_{i} entries we need to process data at hand
+@@ -356,6 +356,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
+         ctx->stream(in, out, num_blocks, ctx->keyenc,
+                     (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
+                     (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
++        processed_bytes = num_blocks * 16;
++        in += processed_bytes;
++        out += processed_bytes;
+     } else {
+         /* Loop through all full blocks to be encrypted */
+         for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
+@@ -434,7 +437,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
+
+     if (num_blocks && all_num_blocks == (size_t)all_num_blocks
+         && ctx->stream != NULL) {
+-        size_t max_idx = 0, top = (size_t)all_num_blocks;
++        size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
+
+         /*
+          * See how many L_{i} entries we need to process data at hand
+@@ -448,6 +451,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
+         ctx->stream(in, out, num_blocks, ctx->keydec,
+                     (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
+                     (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
++        processed_bytes = num_blocks * 16;
++        in += processed_bytes;
++        out += processed_bytes;
+     } else {
+         OCB_BLOCK tmp;
+
Index: /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69419.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69419.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69419.patch	(working copy)
@@ -0,0 +1,46 @@
+From 41be0f216404f14457bbf3b9cc488dba60b49296 Mon Sep 17 00:00:00 2001
+From: Norbert Pocs <norbertp@openssl.org>
+Date: Thu, 11 Dec 2025 12:49:00 +0100
+Subject: [PATCH] Check return code of UTF8_putc
+
+Signed-off-by: Norbert Pocs <norbertp@openssl.org>
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29376)
+---
+ crypto/asn1/a_strex.c   | 6 ++++--
+ crypto/pkcs12/p12_utl.c | 5 +++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
+index 9a5a6de6789e0..6d3c26bc42104 100644
+--- a/crypto/asn1/a_strex.c
++++ b/crypto/asn1/a_strex.c
+@@ -260,8 +260,11 @@ static int do_buf(unsigned char *buf, int buflen,
+             orflags = CHARTYPE_LAST_ESC_2253;
+         if (type & BUF_TYPE_CONVUTF8) {
+             unsigned char utfbuf[6];
+             int utflen;
+             utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++
++            if (utflen < 0)
++                return -1; /* error happened with UTF8 */
+             for (i = 0; i < utflen; i++) {
+                 /*
+                  * We don't need to worry about setting orflags correctly
+diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
+index 17bbc4b77ff70..0943f2efd17c4 100644
+--- a/crypto/pkcs12/p12_utl.c
++++ b/crypto/pkcs12/p12_utl.c
+@@ -207,5 +207,10 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
+     /* re-run the loop emitting UTF-8 string */
+     for (asclen = 0, i = 0; i < unilen;) {
+         j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
++        /* when UTF8_putc fails */
++        if (j < 0) {
++            OPENSSL_free(asctmp);
++            return NULL;
++        }
+         if (j == 4) i += 4;
+         else        i += 2;
\ No newline at end of file
Index: /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69420.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69420.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69420.patch	(working copy)
@@ -0,0 +1,46 @@
+From 4e254b48ad93cc092be3dd62d97015f33f73133a Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Verify ASN1 object's types before attempting to access them
+ as a particular type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Issue was reported in ossl_ess_get_signing_cert but is also present in
+ossl_ess_get_signing_cert_v2.
+
+Fixes: https://github.com/openssl/srt/issues/61
+Fixes CVE-2025-69420
+
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:53:36 2026
+(cherry picked from commit ea8fc4c345fbd749048809c9f7c881ea656b0b94)
+---
+ crypto/ts/ts_rsp_verify.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
+index 6d715cb7cd8e5..630176730eca7 100644
+--- a/crypto/ts/ts_rsp_verify.c
++++ b/crypto/ts/ts_rsp_verify.c
+@@ -263,6 +263,7 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
+     const unsigned char *p;
++
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+-    if (!attr)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+@@ -274,7 +275,7 @@ static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO
+     const unsigned char *p;
+
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
Index: /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69421.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69421.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl-111/d_patch/openssl-1.1.1d-CVE-2025-69421.patch	(working copy)
@@ -0,0 +1,36 @@
+From 2c13bf15286328641a805eb3b7c97e27d42881fb Mon Sep 17 00:00:00 2001
+From: Andrew Dinh <andrewd@openssl.org>
+Date: Thu, 8 Jan 2026 01:24:30 +0900
+Subject: [PATCH] PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes CVE-2025-69421
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:56:08 2026
+---
+ crypto/pkcs12/p12_decr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
+index 0745bc9b088cd..ec1d2ee54aed9 100644
+--- a/crypto/pkcs12/p12_decr.c
++++ b/crypto/pkcs12/p12_decr.c
+@@ -88,6 +88,12 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen;
+
++    if (oct == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
++                  PKCS12_R_INVALID_NULL_ARGUMENT);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
+                          &out, &outlen, 0)) {
+         PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
Index: /branches/rel_ag_9_4_5/ssl/Makefile
===================================================================
--- /branches/rel_ag_9_4_5/ssl/Makefile	(revision 20647)
+++ /branches/rel_ag_9_4_5/ssl/Makefile	(working copy)
@@ -76,6 +76,8 @@
 	patch < CVE-2022-0778.patch -d ../${OPENSSL_PKG} && \
 	patch < CVE-2025-9230.patch -p1 -d ../${OPENSSL_PKG} && \
 	patch < CVE-2026-22795.patch -p1 -d ../${OPENSSL_PKG} && \
+	patch < CVE-2025-69421.patch -p1 -d ../${OPENSSL_PKG} && \
+	patch < CVE-2025-68160.patch -p1 -d ../${OPENSSL_PKG} && \
 	cd ..;
 	chmod +x copy_sm2_files.sh patch_openssl_sm2.sh
 	./copy_sm2_files.sh ${OPENSSL_PKG};
Index: /branches/rel_ag_9_4_5/ssl/patch/CVE-2025-68160.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl/patch/CVE-2025-68160.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl/patch/CVE-2025-68160.patch	(working copy)
@@ -0,0 +1,75 @@
+From b21663c35a6f0ed4c8de06855bdc7a6a21f00c2f Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 7 Jan 2026 11:52:09 -0500
+Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When a FIO_f_linebuffer is part of a bio chain, and the next BIO
+preforms short writes, the remainder of the unwritten buffer is copied
+unconditionally to the internal buffer ctx->obuf, which may not be
+sufficiently sized to handle the remaining data, resulting in a buffer
+overflow.
+
+Fix it by only copying data when ctx->obuf has space, flushing to the
+next BIO to increase available storage if needed.
+
+Fixes openssl/srt#48
+
+Fixes CVE-2025-68160
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:41:40 2026
+---
+ crypto/bio/bf_lbuf.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
+index 6c0e57f8a3918..77ad96a9b9dc5 100644
+--- a/crypto/bio/bf_lbuf.c
++++ b/crypto/bio/bf_lbuf.c
+@@ -252,14 +252,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
+     while (foundnl && inl > 0);
+     /*
+      * We've written as much as we can.  The rest of the input buffer, if
+-     * any, is text that doesn't and with a NL and therefore needs to be
+-     * saved for the next trip.
++     * any, is text that doesn't end with a NL and therefore we need to try
++     * free up some space in our obuf so we can make forward progress.
+      */
+-    if (inl > 0) {
+-        memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+-        ctx->obuf_len += inl;
+-        num += inl;
++    while (inl > 0) {
++        size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len;
++        size_t to_copy;
++
++        if (avail == 0) {
++            /* Flush buffered data to make room */
++            i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
++            if (i <= 0) {
++                BIO_copy_next_retry(b);
++                return num > 0 ? num : i;
++            }
++            if (i < ctx->obuf_len)
++                memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
++            ctx->obuf_len -= i;
++            continue;
++        }
++
++        to_copy = inl > (int)avail ? avail : (size_t)inl;
++        memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy);
++        ctx->obuf_len += (int)to_copy;
++        in += to_copy;
++        inl -= (int)to_copy;
++        num += (int)to_copy;
+     }
++
+     return num;
+ }
+
Index: /branches/rel_ag_9_4_5/ssl/patch/CVE-2025-69421.patch
===================================================================
--- /branches/rel_ag_9_4_5/ssl/patch/CVE-2025-69421.patch	(revision 0)
+++ /branches/rel_ag_9_4_5/ssl/patch/CVE-2025-69421.patch	(working copy)
@@ -0,0 +1,36 @@
+From 2c13bf15286328641a805eb3b7c97e27d42881fb Mon Sep 17 00:00:00 2001
+From: Andrew Dinh <andrewd@openssl.org>
+Date: Thu, 8 Jan 2026 01:24:30 +0900
+Subject: [PATCH] PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes CVE-2025-69421
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:56:08 2026
+---
+ crypto/pkcs12/p12_decr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
+index 0745bc9b088cd..ec1d2ee54aed9 100644
+--- a/crypto/pkcs12/p12_decr.c
++++ b/crypto/pkcs12/p12_decr.c
+@@ -133,6 +133,12 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen;
+
++    if (oct == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
++                  PKCS12_R_INVALID_NULL_ARGUMENT);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
+                          &out, &outlen, 0)) {
+         PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
