From 9f01a8acb3a6faf116278beebc1f376319f5cfe5 Mon Sep 17 00:00:00 2001
From: Jonas Maebe <jonas.maebe@elis.ugent.be>
Date: Sun, 8 Dec 2013 22:48:28 +0100
Subject: [PATCH] process_pci_value: free (*policy)->data before setting to
 NULL after failed realloc

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 crypto/x509v3/v3_pci.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 0dcfa004fe..438cdfe003 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -149,6 +149,7 @@ static int process_pci_value(CONF_VALUE *val,
 				{
 				OPENSSL_free(tmp_data2);
 				/* realloc failure implies the original data space is b0rked too! */
+				OPENSSL_free((*policy)->data);
 				(*policy)->data = NULL;
 				(*policy)->length = 0;
 				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
@@ -177,7 +178,15 @@ static int process_pci_value(CONF_VALUE *val,
 					(*policy)->length + n + 1);
 
 				if (!tmp_data)
-					break;
+				{
+					OPENSSL_free((*policy)->data);
+					(*policy)->data = NULL;
+					(*policy)->length = 0;
+					X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
+					X509V3_conf_err(val);
+					BIO_free_all(b);
+					goto err;
+				}
 
 				(*policy)->data = tmp_data;
 				memcpy(&(*policy)->data[(*policy)->length],
@@ -210,6 +219,7 @@ static int process_pci_value(CONF_VALUE *val,
 			else
 				{
 				/* realloc failure implies the original data space is b0rked too! */
+				OPENSSL_free((*policy)->data);
 				(*policy)->data = NULL;
 				(*policy)->length = 0;
 				X509V3err(X509V3_F_PROCESS_PCI_VALUE,ERR_R_MALLOC_FAILURE);
-- 
2.25.1