Bug 1507135 - update Thunderbird 65 beta 4 release branch to NSS 3.41.1. a=jorgk UPGRADE_NSS_RELEASE, DONTBUILD THUNDERBIRD650b4_2019012301_RELBRANCH
authorKai Engert <kaie@kuix.de>
Wed, 23 Jan 2019 13:23:54 +0100
branchTHUNDERBIRD650b4_2019012301_RELBRANCH
changeset 511763 ef5478ee0f0a315fcbed7466cb5a671dbef7b9ce
parent 506784 9876a3bd6201164969f035266bb64ec983b286c6
push id10557
push usermozilla@jorgk.com
push dateWed, 23 Jan 2019 12:25:50 +0000
treeherdermozilla-beta@ef5478ee0f0a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorgk
bugs1507135
milestone65.0
Bug 1507135 - update Thunderbird 65 beta 4 release branch to NSS 3.41.1. a=jorgk UPGRADE_NSS_RELEASE, DONTBUILD
old-configure.in
security/nss/TAG-INFO
security/nss/automation/abi-check/expected-report-libsmime3.so.txt
security/nss/coreconf/coreconf.dep
security/nss/lib/nss/nss.h
security/nss/lib/smime/cmscinfo.c
security/nss/lib/smime/cmsdigdata.c
security/nss/lib/smime/cmsencdata.c
security/nss/lib/smime/cmsenvdata.c
security/nss/lib/smime/cmsmessage.c
security/nss/lib/smime/cmsudf.c
security/nss/lib/softoken/softkver.h
security/nss/lib/util/nssutil.h
--- a/old-configure.in
+++ b/old-configure.in
@@ -1735,17 +1735,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.41, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.41.1, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
 if test -z "$MOZ_SYSTEM_NSS"; then
    case "${OS_ARCH}" in
         # Only few platforms have been tested with GYP
         WINNT|Darwin|Linux|DragonFly|FreeBSD|NetBSD|OpenBSD|SunOS)
             ;;
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_41_RTM
+NSS_3_41_1_RTM
--- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
@@ -1,12 +1,12 @@
 
 1 function with some indirect sub-type change:
 
-  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:363:1 has some indirect sub-type changes:
+  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes:
     parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
       in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
         underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
           type size hasn't changed
           1 data member changes (2 filtered):
            type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
              underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
                type size hasn't changed
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -17,20 +17,20 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.41" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.41.1" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 41
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/smime/cmscinfo.c
+++ b/security/nss/lib/smime/cmscinfo.c
@@ -46,16 +46,20 @@ nss_cmsContentInfo_private_destroy(NSSCM
 /*
  * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
  */
 void
 NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
 {
     SECOidTag kind;
 
+    if (cinfo == NULL) {
+        return;
+    }
+
     kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
     switch (kind) {
         case SEC_OID_PKCS7_ENVELOPED_DATA:
             NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData);
             break;
         case SEC_OID_PKCS7_SIGNED_DATA:
             NSS_CMSSignedData_Destroy(cinfo->content.signedData);
             break;
@@ -81,16 +85,21 @@ NSS_CMSContentInfo_Destroy(NSSCMSContent
 
 /*
  * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
  */
 NSSCMSContentInfo *
 NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
 {
     NSSCMSContentInfo *ccinfo = NULL;
+
+    if (cinfo == NULL) {
+        return NULL;
+    }
+
     SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
     switch (tag) {
         case SEC_OID_PKCS7_SIGNED_DATA:
             if (cinfo->content.signedData != NULL) {
                 ccinfo = &(cinfo->content.signedData->contentInfo);
             }
             break;
         case SEC_OID_PKCS7_ENVELOPED_DATA:
@@ -122,16 +131,19 @@ NSS_CMSContentInfo_GetChildContentInfo(N
     }
     return ccinfo;
 }
 
 SECStatus
 NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
 {
     SECStatus rv;
+    if (cinfo == NULL) {
+        return SECFailure;
+    }
 
     rv = NSS_CMSContentInfo_Private_Init(cinfo);
     if (rv != SECSuccess) {
         /* default is streaming, failure to get ccinfo will not effect this */
         return dontStream ? SECFailure : SECSuccess;
     }
     cinfo->privateInfo->dontStream = dontStream;
     return SECSuccess;
@@ -140,25 +152,30 @@ NSS_CMSContentInfo_SetDontStream(NSSCMSC
 /*
  * NSS_CMSContentInfo_SetContent - set content type & content
  */
 SECStatus
 NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
                               SECOidTag type, void *ptr)
 {
     SECStatus rv;
+    if (cinfo == NULL || cmsg == NULL) {
+        return SECFailure;
+    }
 
     cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
-    if (cinfo->contentTypeTag == NULL)
+    if (cinfo->contentTypeTag == NULL) {
         return SECFailure;
+    }
 
     /* do not copy the oid, just create a reference */
     rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
-    if (rv != SECSuccess)
+    if (rv != SECSuccess) {
         return SECFailure;
+    }
 
     cinfo->content.pointer = ptr;
 
     if (NSS_CMSType_IsData(type) && ptr) {
         cinfo->rawContent = ptr;
     } else {
         /* as we always have some inner data,
      * we need to set it to something, just to fool the encoder enough to work on it
@@ -180,18 +197,19 @@ NSS_CMSContentInfo_SetContent(NSSCMSMess
 /*
  * data == NULL -> pass in data via NSS_CMSEncoder_Update
  * data != NULL -> take this data
  */
 SECStatus
 NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
                                    SECItem *data, PRBool detached)
 {
-    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
+    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) {
         return SECFailure;
+    }
     if (detached) {
         cinfo->rawContent = NULL;
     }
 
     return SECSuccess;
 }
 
 SECStatus
@@ -225,16 +243,20 @@ NSS_CMSContentInfo_SetContent_EncryptedD
 /*
  * NSS_CMSContentInfo_GetContent - get pointer to inner content
  *
  * needs to be casted...
  */
 void *
 NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
 {
+    if (cinfo == NULL) {
+        return NULL;
+    }
+
     SECOidTag tag = cinfo->contentTypeTag
                         ? cinfo->contentTypeTag->offset
                         : SEC_OID_UNKNOWN;
     switch (tag) {
         case SEC_OID_PKCS7_DATA:
         case SEC_OID_PKCS7_SIGNED_DATA:
         case SEC_OID_PKCS7_ENVELOPED_DATA:
         case SEC_OID_PKCS7_DIGESTED_DATA:
@@ -255,16 +277,20 @@ NSS_CMSContentInfo_GetContent(NSSCMSCont
 
 SECItem *
 NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
 {
     NSSCMSContentInfo *ccinfo;
     SECOidTag tag;
     SECItem *pItem = NULL;
 
+    if (cinfo == NULL) {
+        return NULL;
+    }
+
     tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
     if (NSS_CMSType_IsData(tag)) {
         pItem = cinfo->content.data;
     } else if (NSS_CMSType_IsWrapper(tag)) {
         ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
         if (ccinfo != NULL) {
             pItem = NSS_CMSContentInfo_GetContent(ccinfo);
         }
@@ -277,99 +303,141 @@ NSS_CMSContentInfo_GetInnerContent(NSSCM
 
 /*
  * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
  * for future reference) and return the inner content type.
  */
 SECOidTag
 NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
 {
+    if (cinfo == NULL) {
+        return SEC_OID_UNKNOWN;
+    }
+
     if (cinfo->contentTypeTag == NULL)
         cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
 
     if (cinfo->contentTypeTag == NULL)
         return SEC_OID_UNKNOWN;
 
     return cinfo->contentTypeTag->offset;
 }
 
 SECItem *
 NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
 {
-    if (cinfo->contentTypeTag == NULL)
-        cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+    if (cinfo == NULL) {
+        return NULL;
+    }
 
-    if (cinfo->contentTypeTag == NULL)
+    if (cinfo->contentTypeTag == NULL) {
+        cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+    }
+
+    if (cinfo->contentTypeTag == NULL) {
         return NULL;
+    }
 
     return &(cinfo->contentTypeTag->oid);
 }
 
 /*
  * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
  * for future reference) and return the content encryption algorithm tag.
  */
 SECOidTag
 NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
 {
-    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
+    if (cinfo == NULL) {
+        return SEC_OID_UNKNOWN;
+    }
+
+    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) {
         cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
+    }
 
     return cinfo->contentEncAlgTag;
 }
 
 /*
  * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
  */
 SECAlgorithmID *
 NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
 {
+    if (cinfo == NULL) {
+        return NULL;
+    }
+
     return &(cinfo->contentEncAlg);
 }
 
 SECStatus
 NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
                                     SECOidTag bulkalgtag, SECItem *parameters, int keysize)
 {
     SECStatus rv;
+    if (cinfo == NULL) {
+        return SECFailure;
+    }
 
     rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
-    if (rv != SECSuccess)
+    if (rv != SECSuccess) {
         return SECFailure;
+    }
     cinfo->keysize = keysize;
     return SECSuccess;
 }
 
 SECStatus
 NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
                                       SECAlgorithmID *algid, int keysize)
 {
     SECStatus rv;
+    if (cinfo == NULL) {
+        return SECFailure;
+    }
 
     rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
-    if (rv != SECSuccess)
+    if (rv != SECSuccess) {
         return SECFailure;
-    if (keysize >= 0)
+    }
+    if (keysize >= 0) {
         cinfo->keysize = keysize;
+    }
     return SECSuccess;
 }
 
 void
 NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
 {
-    cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
-    cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+    if (cinfo == NULL) {
+        return;
+    }
+
+    if (bulkkey == NULL) {
+        cinfo->bulkkey = NULL;
+        cinfo->keysize = 0;
+    } else {
+        cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+        cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+    }
 }
 
 PK11SymKey *
 NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
 {
-    if (cinfo->bulkkey == NULL)
+    if (cinfo == NULL || cinfo->bulkkey == NULL) {
         return NULL;
+    }
 
     return PK11_ReferenceSymKey(cinfo->bulkkey);
 }
 
 int
 NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
 {
+    if (cinfo == NULL) {
+        return 0;
+    }
+
     return cinfo->keysize;
 }
--- a/security/nss/lib/smime/cmsdigdata.c
+++ b/security/nss/lib/smime/cmsdigdata.c
@@ -51,17 +51,19 @@ loser:
 
 /*
  * NSS_CMSDigestedData_Destroy - destroy a digestedData object
  */
 void
 NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
 {
     /* everything's in a pool, so don't worry about the storage */
-    NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+    if (digd != NULL) {
+        NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+    }
     return;
 }
 
 /*
  * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
  */
 NSSCMSContentInfo *
 NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd)
--- a/security/nss/lib/smime/cmsencdata.c
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -82,17 +82,19 @@ loser:
 
 /*
  * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
  */
 void
 NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
 {
     /* everything's in a pool, so don't worry about the storage */
-    NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+    if (encd != NULL) {
+        NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+    }
     return;
 }
 
 /*
  * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
  */
 NSSCMSContentInfo *
 NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd)
--- a/security/nss/lib/smime/cmsenvdata.c
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -139,16 +139,21 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(
     PLArenaPool *poolp;
     extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
     void *mark = NULL;
     int i;
 
     poolp = envd->cmsg->poolp;
     cinfo = &(envd->contentInfo);
 
+    if (cinfo == NULL) {
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        goto loser;
+    }
+
     recipientinfos = envd->recipientInfos;
     if (recipientinfos == NULL) {
         PORT_SetError(SEC_ERROR_BAD_DATA);
 #if 0
     PORT_SetErrorString("Cannot find recipientinfos to encode.");
 #endif
         goto loser;
     }
--- a/security/nss/lib/smime/cmsmessage.c
+++ b/security/nss/lib/smime/cmsmessage.c
@@ -24,42 +24,45 @@ NSSCMSMessage *
 NSS_CMSMessage_Create(PLArenaPool *poolp)
 {
     void *mark = NULL;
     NSSCMSMessage *cmsg;
     PRBool poolp_is_ours = PR_FALSE;
 
     if (poolp == NULL) {
         poolp = PORT_NewArena(1024); /* XXX what is right value? */
-        if (poolp == NULL)
+        if (poolp == NULL) {
             return NULL;
+        }
         poolp_is_ours = PR_TRUE;
     }
 
     if (!poolp_is_ours)
         mark = PORT_ArenaMark(poolp);
 
     cmsg = (NSSCMSMessage *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSMessage));
     if (cmsg == NULL ||
         NSS_CMSContentInfo_Private_Init(&(cmsg->contentInfo)) != SECSuccess) {
         if (!poolp_is_ours) {
             if (mark) {
                 PORT_ArenaRelease(poolp, mark);
             }
-        } else
+        } else {
             PORT_FreeArena(poolp, PR_FALSE);
+        }
         return NULL;
     }
 
     cmsg->poolp = poolp;
     cmsg->poolp_is_ours = poolp_is_ours;
     cmsg->refCount = 1;
 
-    if (mark)
+    if (mark) {
         PORT_ArenaUnmark(poolp, mark);
+    }
 
     return cmsg;
 }
 
 /*
  * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
  *
  * "cmsg" - message object
@@ -68,90 +71,114 @@ NSS_CMSMessage_Create(PLArenaPool *poolp
  * "detached_digestalgs", "detached_digests" - digests from detached content
  */
 void
 NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
                                  PK11PasswordFunc pwfn, void *pwfn_arg,
                                  NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
                                  SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
 {
-    if (pwfn)
+    if (cmsg == NULL) {
+        return;
+    }
+    if (pwfn) {
         PK11_SetPasswordFunc(pwfn);
+    }
+
     cmsg->pwfn_arg = pwfn_arg;
     cmsg->decrypt_key_cb = decrypt_key_cb;
     cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
     cmsg->detached_digestalgs = detached_digestalgs;
     cmsg->detached_digests = detached_digests;
 }
 
 /*
  * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
  */
 void
 NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
 {
-    PORT_Assert(cmsg->refCount > 0);
-    if (cmsg->refCount <= 0) /* oops */
+    if (cmsg == NULL)
         return;
 
+    PORT_Assert(cmsg->refCount > 0);
+    if (cmsg->refCount <= 0) { /* oops */
+        return;
+    }
+
     cmsg->refCount--; /* thread safety? */
-    if (cmsg->refCount > 0)
+    if (cmsg->refCount > 0) {
         return;
+    }
 
     NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
 
     /* if poolp is not NULL, cmsg is the owner of its arena */
-    if (cmsg->poolp_is_ours)
+    if (cmsg->poolp_is_ours) {
         PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */
+    }
 }
 
 /*
  * NSS_CMSMessage_Copy - return a copy of the given message.
  *
  * The copy may be virtual or may be real -- either way, the result needs
  * to be passed to NSS_CMSMessage_Destroy later (as does the original).
  */
 NSSCMSMessage *
 NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
 {
-    if (cmsg == NULL)
+    if (cmsg == NULL) {
         return NULL;
+    }
 
     PORT_Assert(cmsg->refCount > 0);
 
     cmsg->refCount++; /* XXX chrisk thread safety? */
     return cmsg;
 }
 
 /*
  * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
  */
 PLArenaPool *
 NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
 {
+    if (cmsg == NULL) {
+        return NULL;
+    }
+
     return cmsg->poolp;
 }
 
 /*
  * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
  */
 NSSCMSContentInfo *
 NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
 {
+    if (cmsg == NULL) {
+        return NULL;
+    }
+
     return &(cmsg->contentInfo);
 }
 
 /*
  * Return a pointer to the actual content.
  * In the case of those types which are encrypted, this returns the *plain* content.
  * In case of nested contentInfos, this descends and retrieves the innermost content.
  */
 SECItem *
 NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
 {
+    if (cmsg == NULL) {
+        return NULL;
+    }
+
     /* this is a shortcut */
     NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
     SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
     return pItem;
 }
 
 /*
  * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
@@ -159,16 +186,20 @@ NSS_CMSMessage_GetContent(NSSCMSMessage 
  * CMS data content objects do not count.
  */
 int
 NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
 {
     int count = 0;
     NSSCMSContentInfo *cinfo;
 
+    if (cmsg == NULL) {
+        return 0;
+    }
+
     /* walk down the chain of contentinfos */
     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) {
         count++;
         cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo);
     }
     return count;
 }
 
@@ -178,16 +209,20 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSM
  * CMS data content objects do not count.
  */
 NSSCMSContentInfo *
 NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
 {
     int count = 0;
     NSSCMSContentInfo *cinfo;
 
+    if (cmsg == NULL) {
+        return NULL;
+    }
+
     /* walk down the chain of contentinfos */
     for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n;
          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
         count++;
     }
 
     return cinfo;
 }
@@ -195,16 +230,20 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessag
 /*
  * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
  */
 PRBool
 NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
 {
     NSSCMSContentInfo *cinfo;
 
+    if (cmsg == NULL) {
+        return PR_FALSE;
+    }
+
     /* descend into CMS message */
     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
         if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag(cinfo)))
             continue; /* next level */
 
         if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData))
             return PR_TRUE;
@@ -216,16 +255,20 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCM
 /*
  * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
  */
 PRBool
 NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
 {
     NSSCMSContentInfo *cinfo;
 
+    if (cmsg == NULL) {
+        return PR_FALSE;
+    }
+
     /* walk down the chain of contentinfos */
     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
         switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
             case SEC_OID_PKCS7_ENVELOPED_DATA:
             case SEC_OID_PKCS7_ENCRYPTED_DATA:
                 return PR_TRUE;
             default:
@@ -246,23 +289,31 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage
  * Note that the content itself can be empty (detached content was sent
  * another way); it is the presence of the signature that matters.
  */
 PRBool
 NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
 {
     NSSCMSContentInfo *cinfo;
 
+    if (cmsg == NULL) {
+        return PR_FALSE;
+    }
+
     /* walk down the chain of contentinfos */
     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
         switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
             case SEC_OID_PKCS7_SIGNED_DATA:
-                if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
+                if (cinfo->content.signedData == NULL) {
+                    return PR_FALSE;
+                }
+                if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) {
                     return PR_TRUE;
+                }
                 break;
             default:
                 /* callback here for generic wrappers? */
                 break;
         }
     }
     return PR_FALSE;
 }
@@ -273,18 +324,19 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *c
  * returns PR_TRUE is innermost content length is < minLen
  * XXX need the encrypted content length (why?)
  */
 PRBool
 NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
 {
     SECItem *item = NULL;
 
-    if (cmsg == NULL)
+    if (cmsg == NULL) {
         return PR_TRUE;
+    }
 
     item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
 
     if (!item) {
         return PR_TRUE;
     } else if (item->len <= minLen) {
         return PR_TRUE;
     }
--- a/security/nss/lib/smime/cmsudf.c
+++ b/security/nss/lib/smime/cmsudf.c
@@ -234,17 +234,17 @@ NSS_CMSType_GetContentSize(SECOidTag typ
     return sizeof(SECItem *);
 }
 
 void
 NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
 {
     const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
 
-    if (typeInfo && typeInfo->destroy) {
+    if (typeInfo && (typeInfo->destroy) && (gd != NULL)) {
         (*typeInfo->destroy)(gd);
     }
 }
 
 SECStatus
 NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type,
                                             NSSCMSGenericWrapperData *gd)
 {
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -12,16 +12,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.41" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.41.1" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 41
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,20 +14,20 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.41"
+#define NSSUTIL_VERSION "3.41.1"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 41
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */