From b31602c6c2fff31b12e80e0f2465ad66f0255144 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 5 Apr 2017 13:25:08 +0200
Subject: certtool: guard the value of tl before gnutls_pkcs7_verify

This utilizes assert() as it cannot be triggered in practice.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 src/certtool.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/certtool.c b/src/certtool.c
index 5526598f2b..7d9d5072e5 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -43,6 +43,8 @@
 # include <signal.h>
 #endif
 
+#include <assert.h>
+
 /* Gnulib portability files. */
 #include <read-file.h>
 
@@ -2850,8 +2852,10 @@ void verify_pkcs7(common_info_st * cinfo, const char *purpose, unsigned display_
 					ret = GNUTLS_E_CONSTRAINT_ERROR;
 			}
 
-		} else
+		} else {
+			assert(tl != NULL);
 			ret = gnutls_pkcs7_verify(pkcs7, tl, vdata, vdata_size, i, detached.data!=NULL?&detached:NULL, flags);
+		}
 		if (ret < 0) {
 			fprintf(stderr, "\tSignature status: verification failed: %s\n", gnutls_strerror(ret));
 			ecode = 1;
-- 
cgit v1.2.1