From 5b2a51de6cec74b94e6d18d83ba410f6943f613f Mon Sep 17 00:00:00 2001
From: Matthew Braithwaite <mab@google.com>
Date: Tue, 10 Apr 2018 15:32:03 -0700
Subject: [PATCH] Check for nullptr result of SSLKeyShare::Create().

(Found by fuzzing.)

Change-Id: I5685a8ad1fedeb9535216e277c5a1fb1902d3338
Reviewed-on: https://boringssl-review.googlesource.com/27264
Commit-Queue: Matt Braithwaite <mab@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
---
 ssl/ssl_key_share.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
index 2a076c33..c7f6f88f 100644
--- a/ssl/ssl_key_share.cc
+++ b/ssl/ssl_key_share.cc
@@ -248,11 +248,11 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
 
 UniquePtr<SSLKeyShare> SSLKeyShare::Create(CBS *in) {
   uint64_t group;
-  if (!CBS_get_asn1_uint64(in, &group)) {
+  if (!CBS_get_asn1_uint64(in, &group) || group > 0xffff) {
     return nullptr;
   }
-  UniquePtr<SSLKeyShare> key_share = Create(static_cast<uint64_t>(group));
-  if (!key_share->Deserialize(in)) {
+  UniquePtr<SSLKeyShare> key_share = Create(static_cast<uint16_t>(group));
+  if (!key_share || !key_share->Deserialize(in)) {
     return nullptr;
   }
   return key_share;