--- nss/lib/ckfw/pem/psession.c
+++ nss/lib/ckfw/pem/psession.c
@@ -230,6 +230,7 @@ pem_mdSession_Login
     unsigned int len = 0;
     NSSLOWKEYPrivateKey *lpk = NULL;
     PLArenaPool *arena;
+    SECItem plain;
     int i;
 
     fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
@@ -306,23 +321,27 @@ pem_mdSession_Login
     lpk->keyType = NSSLOWKEYRSAKey;
     prepare_low_rsa_priv_key_for_asn1(lpk);
 
-    nss_ZFreeIf(io->u.key.key.privateKey->data);
-    io->u.key.key.privateKey->len = len - output[len - 1];
-    io->u.key.key.privateKey->data =
-        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
-    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
 
     /* Decode the resulting blob and see if it is a decodable DER that fits
      * our private key template. If so we declare success and move on. If not
      * then we return an error.
      */
+    memset(&plain, 0, sizeof(plain));
+    plain.data = output;
+    plain.len = len - output[len - 1];
     rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
-                                io->u.key.key.privateKey);
+                                &plain);
     pem_DestroyPrivateKey(lpk);
     arena = NULL;
     if (rv != SECSuccess)
         goto loser;
 
+    nss_ZFreeIf(io->u.key.key.privateKey->data);
+    io->u.key.key.privateKey->len = len - output[len - 1];
+    io->u.key.key.privateKey->data =
+        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+
     rv = CKR_OK;
 
   loser: