Not quite, because now you avoid the potential double free and instead leak
ret itself because of how ASN1_STRING_free works.. You need to
do this slightly differently.
On Sun, Apr 20, 2014 at 9:37 PM, Dirk Engling <erdge...@erdgeist.org> wrote:
> On 21.04.14 04:56, Ted Unangst wrote:
>
>> Also, can you include diffs inline please? One diff per email. Maybe
>> just one or two emails to start, then try sending the rest after we
>> see how that goes?
>
> fix double free in d2i_ASN1_bytes by setting ret->data = NULL after
> free, before potential goto err;
>
> Index: a_bytes.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_bytes.c,v
> retrieving revision 1.10
> diff -u -r1.10 a_bytes.c
> --- a_bytes.c 17 Apr 2014 16:14:15 -0000 1.10
> +++ a_bytes.c 21 Apr 2014 03:35:25 -0000
> @@ -205,6 +205,7 @@
> if ((ret->length < len) || (ret->data == NULL)) {
> if (ret->data != NULL)
> free(ret->data);
> + ret->data = NULL;
> s = (unsigned char *)malloc((int)len + 1);
> if (s == NULL) {
> i = ERR_R_MALLOC_FAILURE;
>
