From 8a96154066043d018e6b9f7625740da9a3dfae79 Mon Sep 17 00:00:00 2001
From: qmuntal <qmuntaldiaz@microsoft.com>
Date: Tue, 22 Aug 2023 15:36:58 +0200
Subject: [PATCH] don't leak cipher handle if newCBC panics

---
 cng/aes.go | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/cng/aes.go b/cng/aes.go
index a5a6deb..1722fa3 100644
--- a/cng/aes.go
+++ b/cng/aes.go
@@ -129,21 +129,22 @@ type cbcCipher struct {
 }
 
 func newCBC(encrypt bool, alg string, key, iv []byte) *cbcCipher {
-	kh, err := newCipherHandle(alg, bcrypt.CHAIN_MODE_CBC, key)
-	if err != nil {
-		panic(err)
-	}
-	x := &cbcCipher{kh: kh, encrypt: encrypt}
+	var blockSize int
 	switch alg {
 	case bcrypt.AES_ALGORITHM:
-		x.blockSize = aesBlockSize
+		blockSize = aesBlockSize
 	case bcrypt.DES_ALGORITHM:
-		x.blockSize = desBlockSize
+		blockSize = desBlockSize
 	default:
 		panic("invalid algorithm: " + alg)
 	}
-	x.SetIV(iv)
+	kh, err := newCipherHandle(alg, bcrypt.CHAIN_MODE_CBC, key)
+	if err != nil {
+		panic(err)
+	}
+	x := &cbcCipher{kh: kh, encrypt: encrypt, blockSize: blockSize}
 	runtime.SetFinalizer(x, (*cbcCipher).finalize)
+	x.SetIV(iv)
 	return x
 }