From fe3dcd05dd911560c71a260bcd117ec224a4f473 Mon Sep 17 00:00:00 2001
From: "alexei.volkov.bugs%sun.com"
 <alexei.volkov.bugs%sun.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Fri, 29 May 2009 18:10:39 +0000
Subject: [PATCH] 494087 -  Passing NULL as the value of cert_pi_trustAnchors
 causes a crash in cert_pkixSetParam. r=wtc.

git-svn-id: svn://10.0.0.236/trunk@257299 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/security/nss/lib/certdb/certt.h         | 11 ++++++++---
 mozilla/security/nss/lib/certhigh/certvfypkix.c |  6 +++++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/mozilla/security/nss/lib/certdb/certt.h b/mozilla/security/nss/lib/certdb/certt.h
index 3ecc81508de..731a11b91e6 100644
--- a/mozilla/security/nss/lib/certdb/certt.h
+++ b/mozilla/security/nss/lib/certdb/certt.h
@@ -36,7 +36,7 @@
 /*
  * certt.h - public data structures for the certificate library
  *
- * $Id: certt.h,v 1.51 2009-05-22 04:29:55 wtc%google.com Exp $
+ * $Id: certt.h,v 1.52 2009-05-29 18:10:38 alexei.volkov.bugs%sun.com Exp $
  */
 #ifndef _CERTT_H_
 #define _CERTT_H_
@@ -940,8 +940,13 @@ typedef enum {
    cert_pi_certStores      = 10,/* Bitmask of Cert Store flags (see below)
 				 * Set in value.scalar.ui */
    cert_pi_trustAnchors    = 11,/* Specify the list of trusted roots to 
-				 * validate against. If the list in NULL all
-				 * default trusted roots are used.
+				 * validate against. 
+				 * The default set of trusted roots, these are
+				 * root CA certs from libnssckbi.so or CA
+				 * certs trusted by user, are used in any of
+				 * the following cases:
+				 *      * when the parameter is not set.
+				 *      * when the list of trust anchors is empty.
 				 * Specified in value.pointer.chain */
    cert_pi_useAIACertFetch = 12, /* Enables cert fetching using AIA extension.
 				 * In NSS 3.12.1 or later. Default is off.
diff --git a/mozilla/security/nss/lib/certhigh/certvfypkix.c b/mozilla/security/nss/lib/certhigh/certvfypkix.c
index 45065c07426..e437953eee3 100644
--- a/mozilla/security/nss/lib/certhigh/certvfypkix.c
+++ b/mozilla/security/nss/lib/certhigh/certvfypkix.c
@@ -1690,7 +1690,11 @@ cert_pkixSetParam(PKIX_ProcessingParams *procParams,
 
         case cert_pi_trustAnchors:
             certList = param->value.pointer.chain;
-
+            if (!certList) {
+                PORT_SetError(errCode);
+                r = SECFailure;
+                break;
+            }
             error = PKIX_List_Create(&certListPkix, plContext);
             if (error != NULL) {
                 break;