Fix double free in d2i_PrivateKey().
authorDr. Stephen Henson <steve@openssl.org>
Tue, 3 May 2016 14:05:31 +0000 (15:05 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 4 May 2016 11:59:11 +0000 (12:59 +0100)
RT#4527

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3340e8bb186f689df5720352f65a9c0c42b6046b)

crypto/asn1/d2i_pr.c

index d21829af192f0c47d15b340d488b045df3b8ef2e..86dcf5fba9d78217faf0bc78f2d936fa43afefd2 100644 (file)
@@ -97,15 +97,17 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
     if (!ret->ameth->old_priv_decode ||
         !ret->ameth->old_priv_decode(ret, &p, length)) {
         if (ret->ameth->priv_decode) {
+            EVP_PKEY *tmp;
             PKCS8_PRIV_KEY_INFO *p8 = NULL;
             p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
             if (!p8)
                 goto err;
-            EVP_PKEY_free(ret);
-            ret = EVP_PKCS82PKEY(p8);
+            tmp = EVP_PKCS82PKEY(p8);
             PKCS8_PRIV_KEY_INFO_free(p8);
-            if (ret == NULL)
+            if (tmp == NULL)
                 goto err;
+            EVP_PKEY_free(ret);
+            ret = tmp;
         } else {
             ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
             goto err;