From 11aac10987c2d2d41bf47c45ee3779515856ab08 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@chromium.org>
Date: Fri, 8 Jan 2016 16:34:51 -0800
Subject: [PATCH] Fix theoretical memory leak on malloc error in
 CBS_asn1_ber_to_der.

On failure, CBB_finish doesn't call CBB_cleanup. Also chain more of the ||s
together now that CBB_cleanup after failed CBB_init is legal.

(I don't think this is actually reachable because the CBB is guaranteed to be
flushed by this point.)

Change-Id: Ib16a0a185f15e13675ac2550c5e8e0926ceb7957
Reviewed-on: https://boringssl-review.googlesource.com/7051
Reviewed-by: Adam Langley <agl@google.com>
---
 crypto/bytestring/ber.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/crypto/bytestring/ber.c b/crypto/bytestring/ber.c
index 9e8daaa5..6f7d1077 100644
--- a/crypto/bytestring/ber.c
+++ b/crypto/bytestring/ber.c
@@ -209,13 +209,12 @@ int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
     return 1;
   }
 
-  if (!CBB_init(&cbb, CBS_len(in))) {
-    return 0;
-  }
-  if (!cbs_convert_ber(in, &cbb, 0, 0, 0)) {
+  if (!CBB_init(&cbb, CBS_len(in)) ||
+      !cbs_convert_ber(in, &cbb, 0, 0, 0) ||
+      !CBB_finish(&cbb, out, out_len)) {
     CBB_cleanup(&cbb);
     return 0;
   }
 
-  return CBB_finish(&cbb, out, out_len);
+  return 1;
 }