Check X509Certificate::CreateFromHandle result.

net/cert/cert_verify_proc_nss.cc

Index: net/cert/cert_verify_proc_nss.cc
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index 27558f79d36a4a73e1010cf975d53357b083e47f..69da45fcaa7e1903f83bdb0a18b92238e1c1f8c0 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -152,7 +152,7 @@ CertStatus MapCertErrorToCertStatus(int err) {
 // *verify_result.  The caller MUST initialize *verify_result before calling
 // this function.
 // Note that cert_list[0] is the end entity certificate.
-void GetCertChainInfo(CERTCertList* cert_list,
+bool GetCertChainInfo(CERTCertList* cert_list,
                       CERTCertificate* root_cert,
                       CertVerifyResult* verify_result) {
   DCHECK(cert_list);
@@ -197,6 +197,7 @@ void GetCertChainInfo(CERTCertList* cert_list,
     verified_chain.push_back(root_cert);
   verify_result->verified_cert =
       X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+  return !!verify_result->verified_cert;
 }
 
 // IsKnownRoot returns true if the given certificate is one that we believe
@@ -879,9 +880,10 @@ int CertVerifyProcNSS::VerifyInternalImpl(
             trust_anchors.get(),
             cvout[cvout_trust_anchor_index].value.pointer.cert);
 
-    GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
-                     cvout[cvout_trust_anchor_index].value.pointer.cert,
-                     verify_result);
+    if (!GetCertChainInfo(cvout[cvout_cert_list_index].value.pointer.chain,
+                          cvout[cvout_trust_anchor_index].value.pointer.cert,
+                          verify_result))
+      return ERR_CERT_INVALID;
   }
 
   CRLSetResult crl_set_result = kCRLSetUnknown;