projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6e161ee)
Fix a failure to NULL a pointer freed on error.
authorMatt Caswell <matt@openssl.org>
Mon, 9 Feb 2015 11:38:41 +0000 (11:38 +0000)
committerMatt Caswell <matt@openssl.org>
Wed, 25 Feb 2015 20:38:25 +0000 (20:38 +0000)
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>
crypto/ec/ec_asn1.c patch | blob | history

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index f16842b1fb1a216aa3cb8e381da8973b65e7a49f..6907436878a63f12766ece6b867b674a7246f3b9 100644 (file)
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1014,8 +1014,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
@@ -1083,10 +1081,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
         ret->enc_flag |= EC_PKEY_NO_PUBKEY;
     }
 
+    if (a)
+        *a = ret;
     ok = 1;
  err:
     if (!ok) {
-        if (ret)
+        if (ret && (a == NULL || *a != ret))
             EC_KEY_free(ret);
         ret = NULL;
     }
Unnamed repository; edit this file 'description' to name the repository.