Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. r=rrelyea

The `stateEnd->parent != state` check was added in Bug 95458 to avoid a crash
in `sec_asn1d_free_child`. The diagnosis in Bug 95458 is incorrect---the crash
was actually due to a `PORT_Assert(0)` that was meant to highlight a memory
leak when `SEC_ASN1DecoderStart` was called with `their_pool==NULL`. The
offending assertion was removed in Bug 95311, which makes the `stateEnd` check
obsolete. In Bug 1753535 it was observed that the `stateEnd` check could read
from a poisoned region of an arena when the decoder was used in a streaming
mode.  This read-after-poison could lead to an arena memory leak, although this
is mitigated by the fact that the read-after-poison is on an error-handling path
where the caller typically frees the entire arena.

Differential Revision: https://phabricator.services.mozilla.com/D140861

1 files changed, 1 insertions, 2 deletions

diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c
index bb1887f7c..9b5586228 100644
--- a/lib/util/secasn1d.c
+++ b/lib/util/secasn1d.c
@@ -2750,7 +2750,6 @@ SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
     sec_asn1d_state *state = NULL;
     unsigned long consumed;
     SEC_ASN1EncodingPart what;
-    sec_asn1d_state *stateEnd = cx->current;
 
     if (cx->status == needBytes)
         cx->status = keepGoing;
@@ -2939,7 +2938,7 @@ SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
     }
 
     if (cx->status == decodeError) {
-        while (state != NULL && stateEnd->parent != state) {
+        while (state != NULL) {
             sec_asn1d_free_child(state, PR_TRUE);
             state = state->parent;
         }