From d34f41a30b0e503d0494bc11cd0146172157e809 Mon Sep 17 00:00:00 2001
From: Armin Novak <armin.novak@thincast.com>
Date: Tue, 3 Mar 2026 08:50:26 +0100
Subject: [PATCH] [winpr,sspi] fix missing return check

---
 winpr/libwinpr/sspi/NTLM/ntlm.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/winpr/libwinpr/sspi/NTLM/ntlm.c b/winpr/libwinpr/sspi/NTLM/ntlm.c
index 759712c92..9f73343f0 100644
--- a/winpr/libwinpr/sspi/NTLM/ntlm.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm.c
@@ -391,8 +391,12 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
 	{
 		UINT32 identityFlags = sspi_GetAuthIdentityFlags(pAuthData);
 
-		sspi_CopyAuthIdentity(&(credentials->identity),
-		                      (const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData);
+		if (sspi_CopyAuthIdentity(&(credentials->identity),
+		                          (const SEC_WINNT_AUTH_IDENTITY_INFO*)pAuthData) < 0)
+		{
+			sspi_CredentialsFree(credentials);
+			return SEC_E_INVALID_PARAMETER;
+		}
 
 		if (identityFlags & SEC_WINNT_AUTH_IDENTITY_EXTENDED)
 			settings = (((SEC_WINNT_AUTH_IDENTITY_WINPR*)pAuthData)->ntlmSettings);
@@ -1233,7 +1237,14 @@ static SECURITY_STATUS SEC_ENTRY ntlm_DecryptMessage(PCtxtHandle phContext, PSec
 	/* Decrypt message using with RC4, result overwrites original buffer */
 
 	if (context->confidentiality)
-		winpr_RC4_Update(context->RecvRc4Seal, length, (BYTE*)data, (BYTE*)data_buffer->pvBuffer);
+	{
+		if (!winpr_RC4_Update(context->RecvRc4Seal, length, (BYTE*)data,
+		                      (BYTE*)data_buffer->pvBuffer))
+		{
+			free(data);
+			return SEC_E_INSUFFICIENT_MEMORY;
+		}
+	}
 	else
 		CopyMemory(data_buffer->pvBuffer, data, length);