commit 89117535f1bb3ea72a17933b703271587d7aaf0b
Author: Matt Caswell <matt@openssl.org>
Date:   Mon Feb 9 11:38:41 2015 +0000

    Fix a failure to NULL a pointer freed on error.
    
    Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>
    
    CVE-2015-0209
    
    Reviewed-by: Emilia Käsper <emilia@openssl.org>

Index: openssl-1.0.1k/crypto/ec/ec_asn1.c
===================================================================
--- openssl-1.0.1k.orig/crypto/ec/ec_asn1.c	2015-03-19 15:58:22.021039425 +0100
+++ openssl-1.0.1k/crypto/ec/ec_asn1.c	2015-03-19 15:58:26.431103852 +0100
@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
                                  ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
-		if (a)
-			*a = ret;
 		}
 	else
 		ret = *a;
@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
 		ret->enc_flag |= EC_PKEY_NO_PUBKEY;
 		}
 
+	if (a)
+		*a = ret;
 	ok = 1;
 err:
 	if (!ok)
 		{
-		if (ret)
+	        if (ret && (a == NULL || *a != ret))
 			EC_KEY_free(ret);
 		ret = NULL;
 		}