Check X509Certificate::CreateFromHandle result.

net/cert/cert_verify_proc_ios.cc

Index: net/cert/cert_verify_proc_ios.cc
diff --git a/net/cert/cert_verify_proc_ios.cc b/net/cert/cert_verify_proc_ios.cc
index 84ecd2aea84ba31730c706d83dc16c03ed414667..4706f10dc646ac38e9da56bbad9167bf450d713e 100644
--- a/net/cert/cert_verify_proc_ios.cc
+++ b/net/cert/cert_verify_proc_ios.cc
@@ -101,7 +101,7 @@ int BuildAndEvaluateSecTrustRef(CFArrayRef cert_array,
   return OK;
 }
 
-void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
+bool GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
   DCHECK_LT(0, CFArrayGetCount(cert_chain));
 
   SecCertificateRef verified_cert = nullptr;
@@ -117,7 +117,7 @@ void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
 
     std::string der_bytes;
     if (!X509Certificate::GetDEREncoded(chain_cert, &der_bytes))
-      return;
+      return false;
 
     base::StringPiece spki_bytes;
     if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes))
@@ -139,11 +139,12 @@ void GetCertChainInfo(CFArrayRef cert_chain, CertVerifyResult* verify_result) {
   }
   if (!verified_cert) {
     NOTREACHED();
-    return;
+    return false;
   }
 
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+  return !!verify_result->verified_cert;
 }
 
 }  // namespace
@@ -264,7 +265,8 @@ int CertVerifyProcIOS::VerifyInternal(
       verify_result->cert_status |= GetCertFailureStatusFromTrust(trust_ref);
   }
 
-  GetCertChainInfo(final_chain, verify_result);
+  if (!GetCertChainInfo(final_chain, verify_result))
+    return ERR_CERT_INVALID;
 
   // iOS lacks the ability to distinguish built-in versus non-built-in roots,
   // so opt to 'fail open' of any restrictive policies that apply to built-in