Bugzilla Bug 320336: SECITEM_AllocItem should return a NULL pointer if the

allocation of its 'data' buffer fails. r=nelson.  This checkin fixed bug
333405 as a byproduct.
Modified files: secitem.c secitem.h
 Tag: NSS_3_11_BRANCH

2 files changed, 13 insertions, 8 deletions

diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
index 71009143c..20eaecd0c 100644
--- a/security/nss/lib/util/secitem.c
+++ b/security/nss/lib/util/secitem.c
@@ -65,17 +65,17 @@ SECITEM_AllocItem(PRArenaPool *arena, SECItem *item, unsigned int len)
 	    goto loser;
 	}
     } else {
-	PORT_Assert(item->data == NULL);
 	result = item;
     }
 
     result->len = len;
-    if (len) {
-	if (arena != NULL) {
-	    result->data = PORT_ArenaAlloc(arena, len);
-	} else {
-	    result->data = PORT_Alloc(len);
-	}
+    if (arena != NULL) {
+	result->data = PORT_ArenaAlloc(arena, len);
+    } else {
+	result->data = PORT_Alloc(len);
+    }
+    if (result->data == NULL && len) {
+	goto loser;
     }
 
     if (mark) {
@@ -96,6 +96,10 @@ loser:
 	if (result != NULL) {
 	    SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
 	}
+	/*
+	 * If item is not NULL, the above has set item->data and
+	 * item->len to 0.
+	 */
     }
     return(NULL);
 }
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
index b73083f2b..fee905c2f 100644
--- a/security/nss/lib/util/secitem.h
+++ b/security/nss/lib/util/secitem.h
@@ -53,7 +53,8 @@ SEC_BEGIN_PROTOS
 ** Allocate an item.  If "arena" is not NULL, then allocate from there,
 ** otherwise allocate from the heap.  If "item" is not NULL, allocate
 ** only the data for the item, not the item itself.  The item structure
-** is allocated zero-filled; the data buffer is not zeroed.
+** is allocated zero-filled; the data buffer is not zeroed.  The caller
+** is responsible for initializing the type field of the item.
 **
 ** The resulting item is returned; NULL if any error occurs.
 **