From c5aaa488a3d6df712dc8dff23a049133cab5ec1b Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 15 Dec 2016 15:02:18 +0100
Subject: [PATCH] gnutls_x509_ext_import_proxy: fix issue reading the policy language

If the language was set but the policy wasn't, that could lead to
a double free, as the value returned to the user was freed.
---
 lib/x509/extensions.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
index f7c7346..2cbb684 100644
--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
@@ -1158,7 +1158,8 @@ _gnutls_x509_ext_extract_proxyCertInfo(i
 {
 	ASN1_TYPE ext = ASN1_TYPE_EMPTY;
 	int result;
-	gnutls_datum_t value;
+	gnutls_datum_t value1 = { NULL, 0 };
+	gnutls_datum_t value2 = { NULL, 0 };
 
 	if ((result = asn1_create_element
 	     (_gnutls_get_pkix(), "PKIX1.ProxyCertInfo",
@@ -1187,18 +1187,20 @@ _gnutls_x509_ext_extract_proxyCertInfo(i
 	}
 
 	result = _gnutls_x509_read_value(ext, "proxyPolicy.policyLanguage",
-					 &value);
+					 &value1);
 	if (result < 0) {
 		gnutls_assert();
 		asn1_delete_structure(&ext);
 		return result;
 	}
 
-	if (policyLanguage)
-		*policyLanguage = gnutls_strdup((char *) value.data);
+	if (policyLanguage) {
+		*policyLanguage = gnutls_strdup((char *) value1.data);
+		value1.data = NULL;
+	}
 
 	result =
-	    _gnutls_x509_read_value(ext, "proxyPolicy.policy", &value);
+	    _gnutls_x509_read_value(ext, "proxyPolicy.policy", &value2);
 	if (result == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND) {
 		if (policy)
 			*policy = NULL;
@@ -1209,10 +1212,12 @@ _gnutls_x509_ext_extract_proxyCertInfo(i
 		asn1_delete_structure(&ext);
 		return result;
 	} else {
-		if (policy)
-			*policy = (char *) value.data;
+		if (policy) {
+			*policy = (char *) value2.data;
+			value2.data = NULL;
+		}
 		if (sizeof_policy)
-			*sizeof_policy = value.size;
+			*sizeof_policy = value2.size;
 	}
 
 	asn1_delete_structure(&ext);
--
libgit2 0.24.0