Bug 1330271 - check for null template in sec_asn1{d,e}_push_state. r=nss-reviewers,djacksonNSS_3_82_BETA1

Some of our dynamic template choosers, e.g. sec_pkcs12_choose_attr_type, can
return NULL. This patch adds some defensive checks to avoid crashes when
they do.

Differential Revision: https://phabricator.services.mozilla.com/D150290

2 files changed, 10 insertions, 1 deletions

diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c
index d219ee0c2..47e1abd0a 100644
--- a/lib/util/secasn1d.c
+++ b/lib/util/secasn1d.c
@@ -365,6 +365,11 @@ sec_asn1d_push_state(SEC_ASN1DecoderContext *cx,
         state->our_mark = PORT_ArenaMark(cx->our_pool);
     }
 
+    if (theTemplate == NULL) {
+        PORT_SetError(SEC_ERROR_BAD_TEMPLATE);
+        goto loser;
+    }
+
     new_state = (sec_asn1d_state *)sec_asn1d_zalloc(cx->our_pool,
                                                     sizeof(*new_state));
     if (new_state == NULL) {
diff --git a/lib/util/secasn1e.c b/lib/util/secasn1e.c
index fb3feef52..41d284897 100644
--- a/lib/util/secasn1e.c
+++ b/lib/util/secasn1e.c
@@ -94,8 +94,12 @@ sec_asn1e_push_state(SEC_ASN1EncoderContext *cx,
 {
     sec_asn1e_state *state, *new_state;
 
-    state = cx->current;
+    if (theTemplate == NULL) {
+        cx->status = encodeError;
+        return NULL;
+    }
 
+    state = cx->current;
     new_state = (sec_asn1e_state *)PORT_ArenaZAlloc(cx->our_pool,
                                                     sizeof(*new_state));
     if (new_state == NULL) {