Fix a failure to NULL a pointer freed on error.

Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org> CVE-2015-0209 Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-09 11:38:41 +00:00 · 2015-02-09 11:38:41 +00:00 · 1b4a8df38f
commit 1b4a8df38f
parent 6d4655c27e
1 changed files with 3 additions and 3 deletions
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@ -1014,8 +1014,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
            ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
            goto err;
        }
-        if (a)
-            *a = ret;
    } else
        ret = *a;

@ -1067,10 +1065,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
        }
    }

+    if (a)
+        *a = ret;
    ok = 1;
 err:
    if (!ok) {
-        if (ret)
+        if (ret && (a == NULL || *a != ret))
            EC_KEY_free(ret);
        ret = NULL;
    }