X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b54c578e17e9bcbd74aa30ea75e25e955b9a6205..918dce6758f4f57e8c0b650cb5eead501f6684ca:/OSX/libsecurity_codesigning/lib/signer.cpp?ds=sidebyside

diff --git a/OSX/libsecurity_codesigning/lib/signer.cpp b/OSX/libsecurity_codesigning/lib/signer.cpp
index 89279238..eff950ab 100644
--- a/OSX/libsecurity_codesigning/lib/signer.cpp
+++ b/OSX/libsecurity_codesigning/lib/signer.cpp
@@ -429,11 +429,12 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
 
 		resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const std::string relpath, Rule *rule) {
 			bool isSymlink = (ent->fts_info == FTS_SL);
+			bool isNested = (ruleFlags & ResourceBuilder::nested);
 			const std::string path(ent->fts_path);
 			const std::string accpath(ent->fts_accpath);
 			this->state.mLimitedAsync->perform(groupRef, ^{
 				CFRef<CFMutableDictionaryRef> seal;
-				if (ruleFlags & ResourceBuilder::nested) {
+				if (isNested) {
 					seal.take(signNested(path, relpath));
 				} else if (isSymlink) {
 					char target[PATH_MAX];
@@ -445,6 +446,10 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
 				} else {
 					seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms(), signingFlags() & kSecCSSignStrictPreflight));
 				}
+				if (seal.get() == NULL) {
+					secerror("Failed to generate sealed resource: %d, %d, %s", isNested, isSymlink, accpath.c_str());
+					MacOSError::throwMe(errSecCSBadResource);
+				}
 				if (ruleFlags & ResourceBuilder::optional)
 					CFDictionaryAddValue(seal, CFSTR("optional"), kCFBooleanTrue);
 				CFTypeRef hash;