Check X509Certificate::CreateFromHandle result.

net/cert/cert_verify_proc_openssl.cc

Index: net/cert/cert_verify_proc_openssl.cc
diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc
index 13a19d8e16322329c01a24395f2f30ddf7c2520f..20c0ad5b1d006387a0431280f46149eac9cef376 100644
--- a/net/cert/cert_verify_proc_openssl.cc
+++ b/net/cert/cert_verify_proc_openssl.cc
@@ -109,8 +109,12 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx,
   // Set verify_result->verified_cert and
   // verify_result->is_issued_by_known_root.
   if (verified_cert) {
-    verify_result->verified_cert =
+    scoped_refptr<X509Certificate> verified_cert_with_chain =
         X509Certificate::CreateFromHandle(verified_cert, verified_chain);
+    if (verified_cert_with_chain)
+      verify_result->verified_cert = std::move(verified_cert_with_chain);
+    else
+      verify_result->cert_status |= CERT_STATUS_INVALID;
 
     // For OpenSSL builds, only certificates used for unit tests are treated
     // as not issued by known roots. The only way to determine whether a