Check X509Certificate::CreateFromHandle result.

net/cert/cert_verify_proc_nss.cc

Index: net/cert/cert_verify_proc_nss.cc
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index 27558f79d36a4a73e1010cf975d53357b083e47f..47c508be81479bcfc5fa3e61d76fa12d280a7ac4 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -152,7 +152,7 @@ CertStatus MapCertErrorToCertStatus(int err) {
 // *verify_result.  The caller MUST initialize *verify_result before calling
 // this function.
 // Note that cert_list[0] is the end entity certificate.
-void GetCertChainInfo(CERTCertList* cert_list,
+bool GetCertChainInfo(CERTCertList* cert_list,
                       CERTCertificate* root_cert,
                       CertVerifyResult* verify_result) {
   DCHECK(cert_list);
@@ -195,8 +195,13 @@ void GetCertChainInfo(CERTCertList* cert_list,
 
   if (root_cert)
     verified_chain.push_back(root_cert);
-  verify_result->verified_cert =
+
+  scoped_refptr<X509Certificate> verified_cert_with_chain =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+  if (!verified_cert_with_chain)
+    return false;
+  verify_result->verified_cert = std::move(verified_cert_with_chain);
+  return true;
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
@@ -879,9 +884,11 @@ int CertVerifyProcNSS::VerifyInternalImpl(
             trust_anchors.get(),
             cvout[cvout_trust_anchor_index].value.pointer.cert);
 
-    GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
-                     cvout[cvout_trust_anchor_index].value.pointer.cert,
-                     verify_result);
+    if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
+                          cvout[cvout_trust_anchor_index].value.pointer.cert,
+                          verify_result)) {
+      verify_result->cert_status |= CERT_STATUS_INVALID;
+    }
   }
 
   CRLSetResult crl_set_result = kCRLSetUnknown;