From 036e61b1669fee477af2d5d1afd0b015517f7f9a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 14 Jun 2016 11:45:34 +0100
Subject: [PATCH] Free memory on an error path

The function a2i_ASN1_STRING can encounter an error after already
allocating a buffer. It wasn't always freeing that buffer on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 crypto/asn1/f_string.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c
index f9a77a2cde..0e03139344 100644
--- a/crypto/asn1/f_string.c
+++ b/crypto/asn1/f_string.c
@@ -104,6 +104,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
         i -= again;
         if (i % 2 != 0) {
             ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_ODD_NUMBER_OF_CHARS);
+            OPENSSL_free(s);
             return 0;
         }
         i /= 2;
@@ -123,6 +124,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
                 if (m < 0) {
                     ASN1err(ASN1_F_A2I_ASN1_STRING,
                             ASN1_R_NON_HEX_CHARACTERS);
+                    OPENSSL_free(s);
                     return 0;
                 }
                 s[num + j] <<= 4;
@@ -141,5 +143,6 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
 
  err:
     ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE);
+    OPENSSL_free(s);
     return 0;
 }
-- 
2.34.1