From 59c2aa4c8fcca1f139983d0a015c7ec6b8c6e0e2 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Sun, 15 Feb 2015 08:44:35 +0000
Subject: In ec_wNAF_mul(), move the declaration of tmp_wNAF higher in scope,
 so that all the function's exit paths can make sure it gets freed. Coverity
 CID 78861 tweaks & ok doug@ jsing@

---
 src/lib/libcrypto/ec/ec_mult.c         | 11 +++++------
 src/lib/libssl/src/crypto/ec/ec_mult.c | 11 +++++------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index e711413598..68f55cfcb3 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.18 2015/02/15 08:44:35 miod Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -348,6 +348,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 	int r_is_at_infinity = 1;
 	size_t *wsize = NULL;	/* individual window sizes */
 	signed char **wNAF = NULL;	/* individual wNAFs */
+	signed char *tmp_wNAF = NULL;
 	size_t *wNAF_len = NULL;
 	size_t max_len = 0;
 	size_t num_val;
@@ -470,7 +471,6 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 			}
 			/* we have already generated a wNAF for 'scalar' */
 		} else {
-			signed char *tmp_wNAF = NULL;
 			size_t tmp_len = 0;
 
 			if (num_scalar != 0) {
@@ -483,7 +483,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 			 */
 			wsize[num] = pre_comp->w;
 			tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
-			if (!tmp_wNAF)
+			if (tmp_wNAF == NULL)
 				goto err;
 
 			if (tmp_len <= max_len) {
@@ -497,6 +497,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 				totalnum = num + 1;	/* don't use wNAF
 							 * splitting */
 				wNAF[num] = tmp_wNAF;
+				tmp_wNAF = NULL;
 				wNAF[num + 1] = NULL;
 				wNAF_len[num] = tmp_len;
 				if (tmp_len > max_len)
@@ -553,7 +554,6 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 					wNAF[i] = malloc(wNAF_len[i]);
 					if (wNAF[i] == NULL) {
 						ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
-						free(tmp_wNAF);
 						goto err;
 					}
 					memcpy(wNAF[i], pp, wNAF_len[i]);
@@ -562,14 +562,12 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 
 					if (*tmp_points == NULL) {
 						ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
-						free(tmp_wNAF);
 						goto err;
 					}
 					val_sub[i] = tmp_points;
 					tmp_points += pre_points_per_block;
 					pp += blocksize;
 				}
-				free(tmp_wNAF);
 			}
 		}
 	}
@@ -686,6 +684,7 @@ err:
 	EC_POINT_free(tmp);
 	free(wsize);
 	free(wNAF_len);
+	free(tmp_wNAF);
 	if (wNAF != NULL) {
 		signed char **w;
 
diff --git a/src/lib/libssl/src/crypto/ec/ec_mult.c b/src/lib/libssl/src/crypto/ec/ec_mult.c
index e711413598..68f55cfcb3 100644
--- a/src/lib/libssl/src/crypto/ec/ec_mult.c
+++ b/src/lib/libssl/src/crypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.18 2015/02/15 08:44:35 miod Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -348,6 +348,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 	int r_is_at_infinity = 1;
 	size_t *wsize = NULL;	/* individual window sizes */
 	signed char **wNAF = NULL;	/* individual wNAFs */
+	signed char *tmp_wNAF = NULL;
 	size_t *wNAF_len = NULL;
 	size_t max_len = 0;
 	size_t num_val;
@@ -470,7 +471,6 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 			}
 			/* we have already generated a wNAF for 'scalar' */
 		} else {
-			signed char *tmp_wNAF = NULL;
 			size_t tmp_len = 0;
 
 			if (num_scalar != 0) {
@@ -483,7 +483,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 			 */
 			wsize[num] = pre_comp->w;
 			tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
-			if (!tmp_wNAF)
+			if (tmp_wNAF == NULL)
 				goto err;
 
 			if (tmp_len <= max_len) {
@@ -497,6 +497,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 				totalnum = num + 1;	/* don't use wNAF
 							 * splitting */
 				wNAF[num] = tmp_wNAF;
+				tmp_wNAF = NULL;
 				wNAF[num + 1] = NULL;
 				wNAF_len[num] = tmp_len;
 				if (tmp_len > max_len)
@@ -553,7 +554,6 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 					wNAF[i] = malloc(wNAF_len[i]);
 					if (wNAF[i] == NULL) {
 						ECerr(EC_F_EC_WNAF_MUL, ERR_R_MALLOC_FAILURE);
-						free(tmp_wNAF);
 						goto err;
 					}
 					memcpy(wNAF[i], pp, wNAF_len[i]);
@@ -562,14 +562,12 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar,
 
 					if (*tmp_points == NULL) {
 						ECerr(EC_F_EC_WNAF_MUL, ERR_R_INTERNAL_ERROR);
-						free(tmp_wNAF);
 						goto err;
 					}
 					val_sub[i] = tmp_points;
 					tmp_points += pre_points_per_block;
 					pp += blocksize;
 				}
-				free(tmp_wNAF);
 			}
 		}
 	}
@@ -686,6 +684,7 @@ err:
 	EC_POINT_free(tmp);
 	free(wsize);
 	free(wNAF_len);
+	free(tmp_wNAF);
 	if (wNAF != NULL) {
 		signed char **w;
 
-- 
cgit v1.2.3-55-g6feb