diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
index ea7f50a0ef4..6f5e216cfc5 100644
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -1044,6 +1044,10 @@ loser:
     NSSCryptoContext *cc = STAN_GetDefaultCryptoContext();
 
     stanCert = STAN_GetNSSCertificate(cert);
+    if (!stanCert) {
+        /* error code is set */
+        return NULL;
+    }
     nssUsage.anyUsage = PR_FALSE;
     nssUsage.nss3usage = usage;
     nssUsage.nss3lookingForCA = PR_FALSE;
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
index 2a546fae1ac..0ab9825b693 100644
--- a/security/nss/lib/pki/certificate.c
+++ b/security/nss/lib/pki/certificate.c
@@ -35,7 +35,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.59 $ $Date: 2006-08-22 22:54:11 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certificate.c,v $ $Revision: 1.60 $ $Date: 2006-10-09 18:45:02 $";
 #endif /* DEBUG */
 
 #ifndef NSSPKI_H
@@ -493,10 +493,10 @@ nssCertificate_BuildChain (
     PRStatus  st;
     PRStatus  ret = PR_SUCCESS;
 
-    if (!td)
-	td = NSSCertificate_GetTrustDomain(c);
-    if (!td || !c || !cc) 
+    if (!c || !cc ||
+        (!td && (td = NSSCertificate_GetTrustDomain(c)) == NULL)) {
 	goto loser;
+    }
 #ifdef NSS_3_4_CODE
     /* bump the usage up to CA level */
     issuerUsage.nss3lookingForCA = PR_TRUE;