Index: mozilla/security/nss/lib/certdb/crl.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certdb/crl.c,v
retrieving revision 1.49
diff -pU60 -r1.49 mozilla/security/nss/lib/certdb/crl.c
--- mozilla/security/nss/lib/certdb/crl.c
+++ mozilla/security/nss/lib/certdb/crl.c
@@ -2739,120 +2739,122 @@ SECStatus CERT_UncacheCRL(CERTCertDBHand
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     /* first decode the DER CRL to make sure it's OK */
     oldcrl = CERT_DecodeDERCrlWithFlags(NULL, olddercrl, SEC_CRL_TYPE,
                                         CRL_DECODE_DONT_COPY_DER |
                                         CRL_DECODE_SKIP_ENTRIES);
 
     if (!oldcrl)
     {
         /* if this DER CRL can't decode, it can't be in the cache */
         return SECFailure;
     }
 
     rv = AcquireDPCache(NULL,
                         &oldcrl->crl.derName,
                         NULL, 0, NULL, &cache, &writeLocked);
     if (SECSuccess == rv)
     {
         CachedCrl* returned = NULL;
 
         readlocked = (writeLocked == PR_TRUE? PR_FALSE : PR_TRUE);
     
         rv = CachedCrl_Create(&returned, oldcrl, CRL_OriginExplicit);
         if (SECSuccess == rv && returned)
         {
             DPCache_LockWrite();
             for (i=0;i<cache->ncrls;i++)
             {
                 PRBool dupe = PR_FALSE, updated = PR_FALSE;
                 rv = CachedCrl_Compare(returned, cache->crls[i],
                                                       &dupe, &updated);
                 if (SECSuccess != rv)
                 {
                     PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
                     break;
                 }
                 if (PR_TRUE == dupe)
                 {
                     DPCache_RemoveCRL(cache, i); /* got a match */
                     cache->mustchoose = PR_TRUE;
                     removed = PR_TRUE;
                     break;
                 }
             }
             
             DPCache_UnlockWrite();
         }
 
         ReleaseDPCache(cache, writeLocked);
 
         if (PR_TRUE != removed)
         {
             rv = SECFailure;
         }
     }
     SEC_DestroyCrl(oldcrl); /* need to do this because object is refcounted */
     if (PR_TRUE != removed)
     {
+        if (returned)
+            SEC_DestroyCrl(returned);
         PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
     }
     return rv;
 }
 
 static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
                                   CRLOrigin origin)
 {
     CachedCrl* newcrl = NULL;
     if (!returned)
     {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
     newcrl = PORT_ZAlloc(sizeof(CachedCrl));
     if (!newcrl)
     {
         return SECFailure;
     }
     newcrl->crl = SEC_DupCrl(crl);
     newcrl->origin = origin;
     *returned = newcrl;
     return SECSuccess;
 }
 
 /* empty the cache content */
 static SECStatus CachedCrl_Depopulate(CachedCrl* crl)
 {
     if (!crl)
     {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
      /* destroy the hash table */
     if (crl->entries)
     {
         PL_HashTableDestroy(crl->entries);
         crl->entries = NULL;
     }
 
     /* free the pre buffer */
     if (crl->prebuffer)
     {
         PreAllocator_Destroy(crl->prebuffer);
         crl->prebuffer = NULL;
     }
     return SECSuccess;
 }
 
 static SECStatus CachedCrl_Destroy(CachedCrl* crl)
 {
     if (!crl)
     {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
     CachedCrl_Depopulate(crl);
     SEC_DestroyCrl(crl->crl);
     PORT_Free(crl);
     return SECSuccess;