Bugzilla Bug 287057: fixed memory leaks in callers of cert_FindExtension.

pass NULL as the SECItem* argument if we only want to know if the extension
exists but don't need its value. r=jpierre,nelsonb.
Modified Files:
	certdb/certdb.c certdb/genname.c certhigh/certhigh.c
	certhigh/certhtml.c certhigh/crlv2.c certhigh/ocsp.c

security/nss/lib/certdb/certdb.c

@@ -38,7 +38,7 @@
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.72 2005/03/05 08:03:03 nelsonb%netscape.com Exp $
+ * $Id: certdb.c,v 1.73 2005/06/30 20:53:46 wtchang%redhat.com Exp $
  */
 
 #include "nssilock.h"
@@ -545,6 +545,7 @@ cert_GetCertType(CERTCertificate *cert)
 
     tmpitem.data = NULL;
     CERT_FindNSCertTypeExtension(cert, &tmpitem);
+    encodedExtKeyUsage.data = NULL;
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, 
 				&encodedExtKeyUsage);
     if (rv == SECSuccess) {
@@ -671,8 +672,10 @@ cert_GetCertType(CERTCertificate *cert)
 	}
     }
 
-    if (extKeyUsage != NULL) {
+    if (encodedExtKeyUsage.data != NULL) {
 	PORT_Free(encodedExtKeyUsage.data);
+    }
+    if (extKeyUsage != NULL) {
 	CERT_DestroyOidSequence(extKeyUsage);
     }
     /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */

security/nss/lib/certdb/genname.c

@@ -1462,6 +1462,7 @@ CERT_CompareNameSpace(CERTCertificate  *cert,
     CERTNameConstraint  *matchingConstraints;
     CERTCertificate      *badCert = NULL;
     
+    constraintsExtension.data = NULL;
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, 
                                 &constraintsExtension);
     if (rv != SECSuccess) {
@@ -1474,6 +1475,7 @@ CERT_CompareNameSpace(CERTCertificate  *cert,
     }
     /* TODO: mark arena */
     constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
+    PORT_Free(constraintsExtension.data);
     currentName = namesList;
     if (constraints == NULL) { /* decode failed */
 	rv = SECFailure;

security/nss/lib/certhigh/certhigh.c

@@ -743,6 +743,7 @@ CERT_FindCRLDistributionPoints (CERTCertificate *cert)
 {
     SECItem encodedExtenValue;
     SECStatus rv;
+    CERTCrlDistributionPoints *dps;
 
     encodedExtenValue.data = NULL;
     encodedExtenValue.len = 0;
@@ -753,8 +754,11 @@ CERT_FindCRLDistributionPoints (CERTCertificate *cert)
 	return (NULL);
     }
 
-    return (CERT_DecodeCRLDistributionPoints (cert->arena,
-					      &encodedExtenValue));
+    dps = CERT_DecodeCRLDistributionPoints(cert->arena, &encodedExtenValue);
+
+    PORT_Free(encodedExtenValue.data);
+
+    return dps;
 }
 
 /* From crl.c */

security/nss/lib/certhigh/certhtml.c

@@ -37,7 +37,7 @@
 /*
  * certhtml.c --- convert a cert to html
  *
- * $Id: certhtml.c,v 1.5 2004/04/25 15:03:03 gerv%gerv.net Exp $
+ * $Id: certhtml.c,v 1.6 2005/06/30 20:53:57 wtchang%redhat.com Exp $
  */
 
 #include "seccomon.h"
@@ -407,7 +407,6 @@ CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
     char *notBefore, *notAfter;
     char *ret;
     char *nickname;
-    SECItem dummyitem;
     unsigned char fingerprint[16];   /* result of MD5, always 16 bytes */
     char *fpstr;
     SECItem fpitem;
@@ -435,12 +434,8 @@ CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
 	showImages = PR_FALSE;
     }
 
-    dummyitem.data = NULL;
     rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
-			       &dummyitem);
-    if ( dummyitem.data ) {
-	PORT_Free(dummyitem.data);
-    }
+			       NULL);
     
     if ( rv || !showImages ) {
 	htmlcertstrings[1] = "";
@@ -468,13 +463,8 @@ CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
     
     htmlcertstrings[5] = subject;
 
-    dummyitem.data = NULL;
-    
     rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
-			       &dummyitem);
-    if ( dummyitem.data ) {
-	PORT_Free(dummyitem.data);
-    }
+			       NULL);
     
     if ( rv || !showImages ) {
 	htmlcertstrings[7] = "";
@@ -500,6 +490,7 @@ CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
     pubk = CERT_ExtractPublicKey(cert);
     DSSPriv = NULL;
     if (pubk && (pubk->keyType == fortezzaKey)) {
+	SECItem dummyitem;
 	htmlcertstrings[18] = "</b><br><b>Clearance:</b>";
 	htmlcertstrings[19] = sec_FortezzaClearance(
 					&pubk->u.fortezza.clearance);

security/nss/lib/certhigh/crlv2.c

@@ -37,7 +37,7 @@
 /*
  * Code for dealing with x.509 v3 crl and crl entries extensions.
  *
- * $Id: crlv2.c,v 1.3 2005/03/08 07:08:47 julien.pierre.bugs%sun.com Exp $
+ * $Id: crlv2.c,v 1.4 2005/06/30 20:53:57 wtchang%redhat.com Exp $
  */
 
 #include "cert.h"
@@ -133,9 +133,8 @@ SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value)
 
     rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
 			     SEC_GeneralizedTimeTemplate, &encodedExtenValue);
-    if (rv != SECSuccess)
-	return (rv);
-    rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
+    if (rv == SECSuccess)
+	rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
     PORT_Free (decodedExtenValue.data);
     PORT_Free (encodedExtenValue.data);
     return (rv);

security/nss/lib/certhigh/ocsp.c

@@ -38,7 +38,7 @@
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.20 2004/05/22 01:03:26 nelsonb%netscape.com Exp $
+ * $Id: ocsp.c,v 1.21 2005/06/30 20:53:57 wtchang%redhat.com Exp $
  */
 
 #include "prerror.h"
@@ -2296,14 +2296,9 @@ static PRBool
 ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
 {
     SECStatus rv;
-    SECItem extItem;
     
-    extItem.data = NULL;
     rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, 
-				&extItem);
-    if (extItem.data != NULL) {
-	PORT_Free(extItem.data);
-    }
+				NULL);
     if (rv == SECSuccess) {
 	return PR_TRUE;
     }