CVE-2019-5481: krb5: double-free in read_data() after realloc() fail

## Summary: In 'lib/security.c', there is a double-free of the reference 'buf->data' on the teardown path if 'Curl_saferealloc()' fails. Also, since we read 'len' from the 'fd', the sender might be able to remotely trigger a realloc() failure, and then the double-free, by sending the value 0x7fffffff. Introduced by 0649433da realloc: use Curl_saferealloc to avoid common mistakes ## Steps To Reproduce: Actual double-free was not reproduced. The realloc failure with particular 'len' value can be reproduced on my 32bits linux machine with following code: ```C #include <stdio.h> #include <stdlib.h> int main(void) { void *ptr = malloc(10); if (!ptr) return -1; int len = 0x7fffffff; void *ptr2 = realloc(ptr, len); if (!ptr2) { printf("Triggered realloc failure\n"); return 0; } return -1; } ``` ## Comment: Also checked other occurences of 'Curl_saferealloc()' calls which all seem fine otherwise. ## Impact Double-free after a 'realloc()' failure, which could be triggered remotely, depending on the use context of the 'read_data()' function.