File nss-UAF_in_DER_decoder.patch of Package mozilla-nss.2166

# HG changeset patch
# Parent  0b48870665e7f023dd45c0d24005faafabdd6718
MFSA 2016-36/CVE-2016-1979
(bmo#1185033)
Use-after-free during processing of DER encoded keys in NSS

Backport of changeset 7033b1193c9496b25aafe5b0ff87abf60949e522

Bug 1185033: Free the arena rather than destroying the
SECKEYPrivateKeyInfo if ASN.1 decoding fails.

diff --git a/lib/pk11wrap/pk11pk12.c b/lib/pk11wrap/pk11pk12.c
--- a/lib/pk11wrap/pk11pk12.c
+++ b/lib/pk11wrap/pk11pk12.c
@@ -229,23 +229,27 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey
         PORT_FreeArena(temparena, PR_FALSE);
         return rv;
     }
     pki->arena = temparena;
 
     rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate,
 		derPKI);
     if( rv != SECSuccess ) {
-	goto finish;
+        /* If SEC_ASN1DecodeItem fails, we cannot assume anything about the
+         * validity of the data in pki. The best we can do is free the arena
+         * and return.
+         */
+        PORT_FreeArena(temparena, PR_TRUE);
+        return rv;
     }
 
     rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
 		publicValue, isPerm, isPrivate, keyUsage, privk, wincx);
 
-finish:
     /* this zeroes the key and frees the arena */
     SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
     return rv;
 }
         
 SECStatus
 PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
 	SECItem *nickname, SECItem *publicValue, PRBool isPerm,