1 files changed, 19 insertions, 4 deletions

diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
index 7fe9113e4..5556cd176 100644
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -72,12 +72,16 @@ STAN_InitTokenForSlotInfo(NSSTrustDomain *td, PK11SlotInfo *slot)
         }
     }
     token = nssToken_CreateFromPK11SlotInfo(td, slot);
-    PK11Slot_SetNSSToken(slot, token);
-    /* Don't add nonexistent token to TD's token list */
     if (token) {
+        /* PK11Slot_SetNSSToken increments the refcount on |token| to 2 */
+        PK11Slot_SetNSSToken(slot, token);
+
+        /* we give our reference to |td->tokenList| */
         NSSRWLock_LockWrite(td->tokensLock);
         nssList_Add(td->tokenList, token);
         NSSRWLock_UnlockWrite(td->tokensLock);
+    } else {
+        PK11Slot_SetNSSToken(slot, NULL);
     }
     return PR_SUCCESS;
 }
@@ -188,7 +192,8 @@ STAN_RemoveModuleFromDefaultTrustDomain(
             nssList_Remove(td->tokenList, token);
             NSSRWLock_UnlockWrite(td->tokensLock);
             PK11Slot_SetNSSToken(module->slots[i], NULL);
-            nssToken_Destroy(token);
+            (void)nssToken_Destroy(token); /* for the |td->tokenList| reference */
+            (void)nssToken_Destroy(token); /* for our PK11Slot_GetNSSToken reference */
         }
     }
     NSSRWLock_LockWrite(td->tokensLock);
@@ -1076,7 +1081,11 @@ STAN_GetNSSCertificate(CERTCertificate *cc)
             nssArena_Destroy(arena);
             return NULL;
         }
-        instance->token = nssToken_AddRef(PK11Slot_GetNSSToken(cc->slot));
+        instance->token = PK11Slot_GetNSSToken(cc->slot);
+        if (!instance->token) {
+            nssArena_Destroy(arena);
+            return NULL;
+        }
         instance->handle = cc->pkcs11ID;
         instance->isTokenObject = PR_TRUE;
         if (cc->nickname) {
@@ -1269,6 +1278,10 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
             NSSASCII7 *email = c->email;
             tok = PK11Slot_GetNSSToken(slot);
             PK11_FreeSlot(slot);
+            if (!tok) {
+                nssrv = PR_FAILURE;
+                goto done;
+            }
 
             newInstance = nssToken_ImportCertificate(tok, NULL,
                                                      NSSCertificateType_PKIX,
@@ -1283,6 +1296,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
             nss_ZFreeIf(nickname);
             nickname = NULL;
             if (!newInstance) {
+                (void)nssToken_Destroy(tok);
                 nssrv = PR_FAILURE;
                 goto done;
             }
@@ -1294,6 +1308,7 @@ STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
                                                nssTrust->codeSigning,
                                                nssTrust->emailProtection,
                                                nssTrust->stepUpApproved, PR_TRUE);
+            (void)nssToken_Destroy(tok);
         }
         if (newInstance) {
             nssCryptokiObject_Destroy(newInstance);