Check X509Certificate::CreateFromHandle result.

net/ssl/client_cert_store_nss.cc

Index: net/ssl/client_cert_store_nss.cc
diff --git a/net/ssl/client_cert_store_nss.cc b/net/ssl/client_cert_store_nss.cc
index dab47284180a3ea0f2bf2618edc2cf197da3853c..7e836a50c6b510efb970e79703013df7a6b728a7 100644
--- a/net/ssl/client_cert_store_nss.cc
+++ b/net/ssl/client_cert_store_nss.cc
@@ -99,6 +99,8 @@ void ClientCertStoreNSS::FilterCertsOnWorkerThread(
     // https://crbug.com/548631.
     filtered_certs->push_back(
         X509Certificate::CreateFromHandle(handle, intermediates_raw));
+    // |handle| was successfully parsed by |cert|, so this should never fail.
+    DCHECK(filtered_certs->back());
   }
   DVLOG(2) << "num_raw:" << num_raw
            << " num_filtered:" << filtered_certs->size();
@@ -131,8 +133,13 @@ void ClientCertStoreNSS::GetPlatformCertsOnWorkerThread(
   }
   for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs);
        !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) {
-    certs->push_back(X509Certificate::CreateFromHandle(
-        node->cert, X509Certificate::OSCertHandles()));
+    scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromHandle(
+        node->cert, X509Certificate::OSCertHandles());
+    if (!cert) {
+      DVLOG(2) << "X509Certificate::CreateFromHandle failed";
+      continue;
+    }
+    certs->push_back(cert);

[eroman, 2017/03/22 22:17:52]

std::move ?

[mattm, 2017/03/23 22:59:03]

Done.

   }
   CERT_DestroyCertList(found_certs);
 }