asn1: Fix open decode bug found by AFL

Should always run AFL before pushing changes to the ASN.1 compiler or
template interpreter!

Still fuzzing.  There are crashers in the _asn1_print() path, though
right now they cannot affect anything else in Heimdal other than
asn1_print, since that's the only thing calling it yet.

lib/asn1/template.c

@@ -645,6 +645,7 @@ _asn1_decode_open_type(const struct asn1_template *t,
              * All the union arms are pointers.
              */
             if (ret) {
+                _asn1_free(tactual_type->ptr, o);
                 free(o);
                 /*
                  * So we failed to decode the open type -- that should not be fatal
@@ -688,26 +689,18 @@ _asn1_decode_open_type(const struct asn1_template *t,
         /* Increment the count of decoded values as we decode */
         *lenp = len;
         for (i = 0; ret != ENOMEM && i < len; i++) {
-            if ((val[i] = calloc(len, tactual_type->offset)) == NULL)
+            if ((val[i] = calloc(1, tactual_type->offset)) == NULL)
                 ret = ENOMEM;
             if (ret == 0 && d[i])
                 /* Re-enter to decode the encoded open type value */
-                ret = _asn1_decode(tactual_type->ptr, flags, d[i]->data,
+                ret = _asn1_decode(tactual_type->ptr, flags, d[0][i].data,
-                                   d[i]->length, val[i], &sz);
+                                   d[0][i].length, val[i], &sz);
             if (ret) {
+                _asn1_free(tactual_type->ptr, val[i]);
                 free(val[i]);
                 val[i] = NULL;
             }
         }
-        if (ret == ENOMEM) {
-            for (i = 0; i < len; i++) {
-                _asn1_free(tactual_type->ptr, val[i]);
-                free(val[i]);
-            }
-            free(val);
-            val = 0;
-            *lenp = 0;
-        }
         if (ret != ENOMEM)
             ret = 0; /* See above */
         *dp = val;