Bug 621664: double free in NSS_CMSSignerInfo_Sign

Patch contributed by  David Cooper <dcooper16@gmail.com>


git-svn-id: svn://10.0.0.236/trunk@261902 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/security/nss/lib/smime/cmssiginfo.c

@@ -38,7 +38,7 @@
 /*
  * CMS signerInfo methods.
  *
- * $Id: cmssiginfo.c,v 1.33 2010-08-28 18:09:09 nelson%bolyard.com Exp $
+ * $Id: cmssiginfo.c,v 1.34 2011-02-07 18:32:19 nelson%bolyard.com Exp $
  */
 
 #include "cmslocal.h"
@@ -166,7 +166,8 @@ NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
  *
  */
 SECStatus
-NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
+NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, 
+                       SECItem *contentType)
 {
     CERTCertificate *cert;
     SECKEYPrivateKey *privkey = NULL;
@@ -186,7 +187,8 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
     case NSSCMSSignerID_IssuerSN:
         cert = signerinfo->cert;
 
-        if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL)
+        privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg);
+        if (privkey == NULL)
 	    goto loser;
         algID = &cert->subjectPublicKeyInfo.algorithm;
         break;
@@ -272,6 +274,7 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
 	rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, 
 	                  privkey, signAlgTag);
 	PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
+	tmppoolp = 0;
     } else {
 	rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
     }