From 648b0a57c66bed14415bbe52e42d60f75bd33d21 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 28 Oct 2025 19:08:33 +0100
Subject: [PATCH] wolfSSL_X509_get_ext_by_OBJ: check we don't deref a NULL ptr

---
 src/x509.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/x509.c b/src/x509.c
index 17a5ac2ddc..24a4d7ad1e 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -463,10 +463,12 @@ int wolfSSL_X509_get_ext_by_OBJ(const WOLFSSL_X509 *x,
     lastpos++;
     if (lastpos < 0)
         lastpos = 0;
-    for (; lastpos < wolfSSL_sk_num(sk); lastpos++)
-        if (wolfSSL_OBJ_cmp(wolfSSL_sk_X509_EXTENSION_value(sk,
-                        lastpos)->obj, obj) == 0)
+    for (; lastpos < wolfSSL_sk_num(sk); lastpos++) {
+        WOLFSSL_X509_EXTENSION* ext = wolfSSL_sk_X509_EXTENSION_value(sk,
+                lastpos);
+        if (ext != NULL && wolfSSL_OBJ_cmp(ext->obj, obj) == 0)
             return lastpos;
+    }
     return WOLFSSL_FATAL_ERROR;
 }