fix two remotely triggerable memory leaks.

tested by jasper

2 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libssl/src/ssl/d1_srtp.c b/src/lib/libssl/src/ssl/d1_srtp.c
index 928935bd8b..e994a0667a 100644
--- a/src/lib/libssl/src/ssl/d1_srtp.c
+++ b/src/lib/libssl/src/ssl/d1_srtp.c
@@ -213,6 +213,7 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
                 else
                         {
                         SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
+                        sk_SRTP_PROTECTION_PROFILE_free(profiles);
                         return 1;
                         }
 
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 1cf17cce0d..1b69e4f34d 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -2188,8 +2188,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
         HMAC_Update(&hctx, etick, eticklen);
         HMAC_Final(&hctx, tick_hmac, NULL);
         HMAC_CTX_cleanup(&hctx);
-        if (timingsafe_bcmp(tick_hmac, etick + eticklen, mlen))
+        if (timingsafe_bcmp(tick_hmac, etick + eticklen, mlen)) {
+                EVP_CIPHER_CTX_cleanup(&ctx);
                 return 2;
+        }
         /* Attempt to decrypt session data */
         /* Move p after IV to start of encrypted ticket, update length */
         p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);