Free buffer in a2i_ASN1_INTEGER() on error path.

Thank to Shi Lei for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c
index 0f16ac0bbbddc842bed08d196237a32b6da6da90..f1ed6bbe652794f0df77f39dfeb7ae2ebbb16709 100644 (file)
--- a/crypto/asn1/f_int.c
+++ b/crypto/asn1/f_int.c
@@ -112,6 +112,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
         i -= again;
         if (i % 2 != 0) {
             ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_ODD_NUMBER_OF_CHARS);
+            OPENSSL_free(s);
             return 0;
         }
         i /= 2;