Pull in more changes from OpenSSL 1.0.1h.

This change includes the following changes from OpenSSL:

a07856a08d7e8d76273e5d05099914aa335da143
"Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362"

725c5f1ad393a7bc344348d0ec7c268aaf2700a7
"Fix use after free."
(Not a problem unless read-ahead is used, which it is not in Chrome)

bcc311668ede6ffdcd6dc5a65454a548b5404fcc
"Free up s->d1->buffered_app_data.q properly. PR#3286"

b107586c0c3447ea22dba8698ebbcd81bb29d48c
"Fixed NULL pointer dereference. See PR#3321"

d0666f289ac013094bbbf547bfbcd616199b7d2d
"evp: prevent underflow in base64 decoding. This patch resolves RT ticket #2608."

a41d5174e27c99d1caefd76a8e927c814ede509e
"Initialize num properly."

8eb094b9460575a328ba04708147c91fc267b394
"Double free in i2o_ECPublicKey. PR: 3338."

9c8dc84ac16a2f21063ae36809d202d0284ecf82
"Fix double frees."

BUG=381169


git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/openssl@275836 4ff67af0-8c30-449e-8e8b-ad334ec8d88c

8 files changed, 29 insertions, 18 deletions

diff --git a/openssl/crypto/ec/ec_asn1.c b/openssl/crypto/ec/ec_asn1.c
index 175eec5..e8e5448 100644
--- a/openssl/crypto/ec/ec_asn1.c
+++ b/openssl/crypto/ec/ec_asn1.c
@@ -1433,8 +1433,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned char **out)
 				*out, buf_len, NULL))
 		{
 		ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
-		OPENSSL_free(*out);
-		*out = NULL;
+		if (new_buffer)
+			{
+			OPENSSL_free(*out);
+			*out = NULL;
+			}
 		return 0;
 		}
 	if (!new_buffer)
diff --git a/openssl/crypto/evp/bio_b64.c b/openssl/crypto/evp/bio_b64.c
index 72a2a67..373c340 100644
--- a/openssl/crypto/evp/bio_b64.c
+++ b/openssl/crypto/evp/bio_b64.c
@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, int outl)
 		else if (ctx->start)
 			{
 			q=p=(unsigned char *)ctx->tmp;
+			num = 0;
 			for (j=0; j<i; j++)
 				{
 				if (*(q++) != '\n') continue;
diff --git a/openssl/crypto/evp/encode.c b/openssl/crypto/evp/encode.c
index 28546a8..4654bdc 100644
--- a/openssl/crypto/evp/encode.c
+++ b/openssl/crypto/evp/encode.c
@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
 				v=EVP_DecodeBlock(out,d,n);
 				n=0;
 				if (v < 0) { rv=0; goto end; }
+				if (eof > v) { rv=-1; goto end; }
 				ret+=(v-eof);
 				}
 			else
diff --git a/openssl/crypto/pkcs7/pk7_doit.c b/openssl/crypto/pkcs7/pk7_doit.c
index 77fda3b..4c12a9d 100644
--- a/openssl/crypto/pkcs7/pk7_doit.c
+++ b/openssl/crypto/pkcs7/pk7_doit.c
@@ -928,6 +928,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
 	if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
 		goto err;
 	OPENSSL_free(abuf);
+	abuf = NULL;
 	if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
 		goto err;
 	abuf = OPENSSL_malloc(siglen);
diff --git a/openssl/ssl/d1_lib.c b/openssl/ssl/d1_lib.c
index f61f718..1004c57 100644
--- a/openssl/ssl/d1_lib.c
+++ b/openssl/ssl/d1_lib.c
@@ -176,9 +176,12 @@ static void dtls1_clear_queues(SSL *s)
 
 	while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
 		{
-		frag = (hm_fragment *)item->data;
-		OPENSSL_free(frag->fragment);
-		OPENSSL_free(frag);
+		rdata = (DTLS1_RECORD_DATA *) item->data;
+		if (rdata->rbuf.buf)
+			{
+			OPENSSL_free(rdata->rbuf.buf);
+			}
+		OPENSSL_free(item->data);
 		pitem_free(item);
 		}
 	}
diff --git a/openssl/ssl/d1_pkt.c b/openssl/ssl/d1_pkt.c
index 0bf87be..028d48b 100644
--- a/openssl/ssl/d1_pkt.c
+++ b/openssl/ssl/d1_pkt.c
@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 	}
 #endif
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL)
-		{
-		OPENSSL_free(rdata);
-		pitem_free(item);
-		return(0);
-		}
-
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -259,7 +251,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 		pitem_free(item);
 		return(0);
 		}
-	
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
+
 	return(1);
 	}
 
diff --git a/openssl/ssl/d1_srvr.c b/openssl/ssl/d1_srvr.c
index 29421da..014ef52 100644
--- a/openssl/ssl/d1_srvr.c
+++ b/openssl/ssl/d1_srvr.c
@@ -1345,6 +1345,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 			    (unsigned char *)encodedPoint, 
 			    encodedlen);
 			OPENSSL_free(encodedPoint);
+			encodedPoint = NULL;
 			p += encodedlen;
 			}
 #endif
diff --git a/openssl/ssl/s3_pkt.c b/openssl/ssl/s3_pkt.c
index 98d448d..03ed461 100644
--- a/openssl/ssl/s3_pkt.c
+++ b/openssl/ssl/s3_pkt.c
@@ -641,9 +641,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	SSL3_BUFFER *wb=&(s->s3->wbuf);
 	SSL_SESSION *sess;
 
- 	if (wb->buf == NULL)
-		if (!ssl3_setup_write_buffer(s))
-			return -1;
 
 	/* first check if there is a SSL3_BUFFER still being written
 	 * out.  This will happen with non blocking IO */
@@ -659,6 +656,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 		/* if it went, fall through and send more stuff */
 		}
 
+ 	if (wb->buf == NULL)
+		if (!ssl3_setup_write_buffer(s))
+			return -1;
+
 	if (len == 0 && !create_empty_fragment)
 		return 0;
 
@@ -1060,7 +1061,7 @@ start:
 				{
 				s->rstate=SSL_ST_READ_HEADER;
 				rr->off=0;
-				if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+				if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
 					ssl3_release_read_buffer(s);
 				}
 			}