From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 19 Jan 2017 08:08:04 +0000 (+0100)
Subject: x509: eliminated memory leak on gnutls_x509_ext_import_aia
X-Git-Tag: gnutls_3_6_0~1061
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86e8d831bb3129f85379b32cdd8bbdc15f4d891e;p=thirdparty%2Fgnutls.git

x509: eliminated memory leak on gnutls_x509_ext_import_aia

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=385

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---

diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index b947b46028..d06a38cc75 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -2723,18 +2723,24 @@ static int parse_aia(ASN1_TYPE c2, gnutls_x509_aia_t aia)
 		}
 		aia->aia = tmp;
 
-		aia->aia[indx].oid.data = (void*)gnutls_strdup(tmpoid);
-		aia->aia[indx].oid.size = strlen(tmpoid);
-
 		snprintf(nptr, sizeof(nptr), "?%u.accessLocation", i);
 
+
 		ret = _gnutls_parse_general_name2(c2, nptr, -1, &aia->aia[indx].san, 
 			&aia->aia[indx].san_type, 0);
 		if (ret < 0)
 			break;
 
+		/* we do the strdup after parsing to avoid a memory leak */
+		aia->aia[indx].oid.data = (void*)gnutls_strdup(tmpoid);
+		aia->aia[indx].oid.size = strlen(tmpoid);
+
 		aia->size++;
 
+		if (aia->aia[indx].oid.data == NULL) {
+			gnutls_assert();
+			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+		}
 	}
 	
 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
@@ -2754,7 +2760,7 @@ static int parse_aia(ASN1_TYPE c2, gnutls_x509_aia_t aia)
  * extension from the provided DER-encoded data; see RFC 5280 section 4.2.2.1 
  * for more information on the extension.  The
  * AIA extension holds a sequence of AccessDescription (AD) data.
- * 
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
  *
  * Since: 3.3.0