Don't leak memory from notice_section function on error path

The notice_section() function allocates a STACK_OF(CONF_VALUE) but
then fails to free it on an error path.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

crypto/x509v3/v3_cpols.c

@@ -295,6 +295,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
             if (!nos || !sk_CONF_VALUE_num(nos)) {
                 X509V3err(X509V3_F_NOTICE_SECTION, X509V3_R_INVALID_NUMBERS);
                 X509V3_conf_err(cnf);
+                sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
                 goto err;
             }
             ret = nref_nos(nref->noticenos, nos);