Check X509Certificate::CreateFromHandle result.

net/cert/cert_verify_proc_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/cert_verify_proc_nss.h"
 
 #include <cert.h>
 #include <nss.h>
 #include <prerror.h>
 #include <secerr.h>
@@ skipping 134 matching lines @@
 // Map PORT_GetError() return values to our cert status flags.
 CertStatus MapCertErrorToCertStatus(int err) {
   int net_error = MapSecurityError(err);
   return MapNetErrorToCertStatus(net_error);
 }
 
 // Saves some information about the certificate chain cert_list in
 // *verify_result.  The caller MUST initialize *verify_result before calling
 // this function.
 // Note that cert_list[0] is the end entity certificate.
-void GetCertChainInfo(CERTCertList* cert_list,
+bool GetCertChainInfo(CERTCertList* cert_list,
                       CERTCertificate* root_cert,
                       CertVerifyResult* verify_result) {
   DCHECK(cert_list);
 
   CERTCertificate* verified_cert = NULL;
   std::vector<CERTCertificate*> verified_chain;
   size_t i = 0;
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node), ++i) {
@@ skipping 24 matching lines @@
         }
       }
       verified_chain.push_back(node->cert);
     }
   }
 
   if (root_cert)
     verified_chain.push_back(root_cert);
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+  return !!verify_result->verified_cert;
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root || !root->slot)
     return false;
 
   // This magic name is taken from
   // http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/constants.c&rev=1.13&mark=86,89#79
@@ skipping 662 matching lines @@
                           cvout[cvout_trust_anchor_index].value.pointer.cert,
                           &verify_result->public_key_hashes);
 
     verify_result->is_issued_by_known_root =
         IsKnownRoot(cvout[cvout_trust_anchor_index].value.pointer.cert);
     verify_result->is_issued_by_additional_trust_anchor =
         IsAdditionalTrustAnchor(
             trust_anchors.get(),
             cvout[cvout_trust_anchor_index].value.pointer.cert);
 
-    GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
-                     cvout[cvout_trust_anchor_index].value.pointer.cert,
-                     verify_result);
+    if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
+                          cvout[cvout_trust_anchor_index].value.pointer.cert,
+                          verify_result))
+      return ERR_CERT_INVALID;
   }
 
   CRLSetResult crl_set_result = kCRLSetUnknown;
   if (crl_set) {
     if (status == SECSuccess) {
       // Reverify the returned chain; NSS should have already called
       // CheckChainRevocationWithCRLSet prior to returning, but given the
       // edge cases (self-signed certs that are trusted; cached chains;
       // unreadable code), this is more about defense in depth than
       // functional necessity.
@@ skipping 59 matching lines @@
     CRLSet* crl_set,
     const CertificateList& additional_trust_anchors,
     CertVerifyResult* verify_result) {
   return VerifyInternalImpl(cert, hostname, ocsp_response, flags, crl_set,
                             additional_trust_anchors,
                             NULL,  // chain_verify_callback
                             verify_result);
 }
 
 }  // namespace net