Fix memory leak in ecp_mul_comb() if ecp_precompute_comb() fails

In ecp_mul_comb(), if (!p_eq_g && grp->T == NULL) and then ecp_precompute_comb() fails (which can
happen due to OOM), then the new array of points T will be leaked (as it's newly allocated, but
hasn't been asigned to grp->T yet).

Symptom was a memory leak in ECDHE key exchange under low memory conditions.
diff --git a/ChangeLog b/ChangeLog
index 4c09593..7ea276b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -86,6 +86,8 @@
    * Correct the documentation for `mbedtls_ssl_get_session()`. This API has
      deep copy of the session, and the peer certificate is not lost. Fixes #926.
    * Fix build using -std=c99. Fixed by Nick Wilson.
+   * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
+     Fix contributed by Espressif Systems.
 
 Changes
    * Fail when receiving a TLS alert message with an invalid length, or invalid
diff --git a/library/ecp.c b/library/ecp.c
index 41db3fb..68c6f49 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1446,7 +1446,12 @@
 
 cleanup:
 
-    if( T != NULL && ! p_eq_g )
+    /* There are two cases where T is not stored in grp:
+     * - P != G
+     * - An intermediate operation failed before setting grp->T
+     * In either case, T must be freed.
+     */
+    if( T != NULL && T != grp->T )
     {
         for( i = 0; i < pre_len; i++ )
             mbedtls_ecp_point_free( &T[i] );