commit e30f3fb0809a79d9fad8074ea66b4b4a6498f637
author David Benjamin <davidben@chromium.org> Wed Mar 18 19:55:40 2015 -0400
committer Adam Langley <agl@google.com> Thu Mar 19 11:11:04 2015 +0000
tree fb75045b83e0afd63ecdc188667e5b4ae4db3ec7
parent c02f148fa8c23f71ed830996cf29e81185e82488

ASN1_primitive_new NULL param handling

ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.

(Imported from upstream's 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)

Change-Id: Icbb13cd00d0ec5529871b678b0bcc465956a7572
Reviewed-on: https://boringssl-review.googlesource.com/4006
Reviewed-by: Adam Langley <agl@google.com>

crypto/asn1/tasn_new.c

diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index e59025b..cca8236 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -329,14 +329,17 @@
 	ASN1_STRING *str;
 	int utype;
 
-	if (it && it->funcs)
+	if (!it)
+		return 0;
+
+	if (it->funcs)
 		{
 		const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
 		if (pf->prim_new)
 			return pf->prim_new(pval, it);
 		}
 
-	if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+	if (it->itype == ASN1_ITYPE_MSTRING)
 		utype = -1;
 	else
 		utype = it->utype;