I found some time to take a further look at the smime codebase. I used [weggli](https://github.com/googleprojectzero/weggli) to audit for similar code patterns where the address of uninitialized values was being passed as a parameter which didn't turn up any new issues. With respect to the bug in `NSS_CMSDigestContext_FinishSingle`, its only reachable when parsing DigestedData content and support for that content type has never properly been implemented ([code](https://searchfox.org/mozilla-central/source/security/nss/lib/smime/cmsdigdata.c#202) and isn't part of the [smime standard](https://datatracker.ietf.org/doc/html/rfc8551). However, the code is still reachable from Firefox and Thunderbird because we fully parse the CMS data in `NSS_CMSMessage_CreateFromDER` and use the templates in `cmsasn1.c` prior to validating the format. John pointed out that we can't NULL out `digestsp` if there's an error as the encoder is relying on the existing behaviour. As we're currently investigating if we can remove this code entirely, I've updated the patch to the sufficient fix outlined my earlier comment. With the fix, the missing data is noticed [here](https://searchfox.org/mozilla-central/source/security/nss/lib/util/secasn1d.c#2130) and the parser raises a decodeError.
Bug 1767590 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I found some time to take a further look at the smime codebase. I used [weggli](https://github.com/googleprojectzero/weggli) to audit for similar code patterns where the address of uninitialized values was being passed as a parameter which didn't turn up any new issues. With respect to the bug in `NSS_CMSDigestContext_FinishSingle`, its only reachable when parsing DigestedData content and support for that content type has never properly been implemented ([code](https://searchfox.org/mozilla-central/source/security/nss/lib/smime/cmsdigdata.c#202)) and isn't part of the [smime standard](https://datatracker.ietf.org/doc/html/rfc8551). However, the code is still reachable from Firefox and Thunderbird because we fully parse the CMS data in `NSS_CMSMessage_CreateFromDER` and use the templates in `cmsasn1.c` prior to validating the format. John pointed out that we can't NULL out `digestsp` if there's an error as the encoder is relying on the existing behaviour. As we're currently investigating if we can remove this code entirely, I've updated the patch to the sufficient fix outlined my earlier comment. With the fix, the missing data is noticed [here](https://searchfox.org/mozilla-central/source/security/nss/lib/util/secasn1d.c#2130) and the parser raises a decodeError.