Fix a failure to NULL a pointer freed on error.

Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org> CVE-2015-0209 Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-02-09 11:38:41 +0000
committer: Matt Caswell <matt@openssl.org> 2015-02-25 17:13:07 +0000
commit: 9e442d485008046933cdc7da65080f436a4af089 (patch)
tree: 57715058367b9f6316a51614e028b33f10079bf1
parent: 71ea6b4836a9ec40857f295e7cd00e04edc17e47 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 292437409f..1088e8916e 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1033,8 +1033,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
@@ -1102,10 +1100,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
         ret->enc_flag |= EC_PKEY_NO_PUBKEY;
     }
 
+    if (a)
+        *a = ret;
     ok = 1;
  err:
     if (!ok) {
-        if (ret)
+        if (ret && (a == NULL || *a != ret))
             EC_KEY_free(ret);
         ret = NULL;
     }
author	Matt Caswell <matt@openssl.org>	2015-02-09 11:38:41 +0000
committer	Matt Caswell <matt@openssl.org>	2015-02-25 17:13:07 +0000
commit	9e442d485008046933cdc7da65080f436a4af089 (patch)
tree	57715058367b9f6316a51614e028b33f10079bf1
parent	71ea6b4836a9ec40857f295e7cd00e04edc17e47 (diff)