Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>

2 files changed, 16 insertions, 3 deletions

diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index de3df9e..8b74d02 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
 	const unsigned char *q;
 	X509 *ret;
+    int freeret = 0;
+
 	/* Save start position */
 	q = *pp;
+
+    if(!a || *a == NULL) {
+        freeret = 1;
+    }
 	ret = d2i_X509(a, pp, length);
 	/* If certificate unreadable then forget it */
 	if(!ret) return NULL;
@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 	if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
 	return ret;
 	err:
-	X509_free(ret);
+    if(freeret) {
+        X509_free(ret);
+        if (a)
+            *a = NULL;
+    }
 	return NULL;
 }
 
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 175eec5..ccd1ecd 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
 			ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
 			return NULL;
 			}
-		if (a)
-			*a = ret;
 		}
 	else
 		ret = *a;
@@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
 	if (!d2i_ECPKParameters(&ret->group, in, len))
 		{
 		ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+                if (a == NULL || *a != ret)
+                     EC_KEY_free(ret);
 		return NULL;
 		}
 
+        if (a)
+            *a = ret;
+
 	return ret;
 	}