--- a/extensions/auth/nsHttpNegotiateAuth.cpp
+++ b/extensions/auth/nsHttpNegotiateAuth.cpp
@@ -520,17 +520,17 @@ nsHttpNegotiateAuth::GenerateCredentials
     // be a continuation of an earlier call because GSSAPI authentication
     // often takes multiple round-trips to complete depending on the
     // context flags given.  We want to use MUTUAL_AUTHENTICATION which
     // generally *does* require multiple round-trips.  Don't assume
     // auth can be completed in just 1 call.
     //
     unsigned int len = strlen(challenge);
 
-    void *inToken, *outToken;
+    void *inToken = nullptr, *outToken;
     uint32_t inTokenLen, outTokenLen;
 
     if (len > kNegotiateLen) {
         challenge += kNegotiateLen;
         while (*challenge == ' ')
             challenge++;
         len = strlen(challenge);
 
@@ -540,24 +540,24 @@ nsHttpNegotiateAuth::GenerateCredentials
 
         //
         // Decode the response that followed the "Negotiate" token
         //
         nsresult rv =
             Base64Decode(challenge, len, (char**)&inToken, &inTokenLen);
 
         if (NS_FAILED(rv)) {
+            free(inToken);
             return rv;
         }
     }
     else {
         //
         // Initializing, don't use an input token.
         //
-        inToken = nullptr;
         inTokenLen = 0;
     }
 
     nsresult rv = module->GetNextToken(inToken, inTokenLen, &outToken, &outTokenLen);
 
     free(inToken);
 
     if (NS_FAILED(rv))