From 7167a8fabc8993d50746b98347f8dcb2cf1ffcc0 Mon Sep 17 00:00:00 2001
From: Dana Keeler <dkeeler@mozilla.com>
Date: Sun, 24 May 2026 12:03:33 +0200
Subject: [PATCH] [NSS] NSS_CMSContentInfo_SetContent: only modify cinfo if
 everything succeeds.

---
 security/nss/lib/smime/cmscinfo.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
index 453ccaadaa..37163b27ee 100644
--- a/security/nss/lib/smime/cmscinfo.c
+++ b/security/nss/lib/smime/cmscinfo.c
@@ -156,37 +156,40 @@ SECStatus
 NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
                               SECOidTag type, void *ptr)
 {
-    SECStatus rv;
     if (cinfo == NULL || cmsg == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
-    if (cinfo->contentTypeTag == NULL) {
+    SECOidData *contentTypeTag = SECOID_FindOIDByTag(type);
+    if (!contentTypeTag) {
         return SECFailure;
     }
 
-    /* do not copy the oid, just create a reference */
-    rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
+    SECItem contentType = { siBuffer, NULL, 0 };
+    SECStatus rv = SECITEM_CopyItem(cmsg->poolp, &contentType, &(contentTypeTag->oid));
     if (rv != SECSuccess) {
         return SECFailure;
     }
 
-    cinfo->content.pointer = ptr;
-
+    SECItem *rawContent;
     if (NSS_CMSType_IsData(type) && ptr) {
-        cinfo->rawContent = ptr;
+        rawContent = ptr;
     } else {
         /* as we always have some inner data,
-     * we need to set it to something, just to fool the encoder enough to work on it
-     * and get us into nss_cms_encoder_notify at that point */
-        cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
-        if (cinfo->rawContent == NULL) {
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
+         * we need to set it to something, just to fool the encoder enough to work on it
+         * and get us into nss_cms_encoder_notify at that point */
+        rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
+        if (!rawContent) {
             return SECFailure;
         }
     }
 
+    cinfo->contentType = contentType;
+    cinfo->content.pointer = ptr;
+    cinfo->contentTypeTag = contentTypeTag;
+    cinfo->rawContent = rawContent;
+
     return SECSuccess;
 }