From ba5d0113e8bcb26857ae58a11b219aeb7bc2408a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 9 Feb 2015 11:38:41 +0000 Subject: [PATCH] Fix a failure to NULL a pointer freed on error. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Inspired by BoringSSL commit 517073cd4b by Eric Roman CVE-2015-0209 Reviewed-by: Emilia Käsper --- crypto/ec/ec_asn1.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 292437409f..1088e8916e 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1033,8 +1033,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE); goto err; } - if (a) - *a = ret; } else ret = *a; @@ -1102,10 +1100,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) ret->enc_flag |= EC_PKEY_NO_PUBKEY; } + if (a) + *a = ret; ok = 1; err: if (!ok) { - if (ret) + if (ret && (a == NULL || *a != ret)) EC_KEY_free(ret); ret = NULL; } -- 2.25.1