Commit 82befaf246 for openssl.org

commit 82befaf246e948475cdaf14bf3a04565ac5d3625
Author: yangxuqing <43904538+RigelYoung@users.noreply.github.com>
Date:   Sat May 23 10:06:41 2026 +0800

    providers: Nullify BIO pointer after free to prevent double free

    In providers/implementations/storemgmt/file_store_any2obj.c, if the
    control flow reaches the err label after BIO_free(in) is called, a
    double free will occur in the generic cleanup block.

    Currently, the only path to this specific err jump is if
    BUF_MEM_grow(mem, len) fails. As noted by the OpenSSL Security Team,
    this failure is currently impossible because the buffer is being
    shrunk (max_len >= len).

    However, as requested by the security team via email, this commit
    explicitly nullifies the in pointer after the first free to
    future-proof the function and prevent a double free in case the
    semantics of BUF_MEM_grow() or the surrounding logic change in
    the future.

    Fixes: 1b0f21f0555c "Implementing store support for EVP_SKEY"
    CLA: trivial

    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Tue May 26 10:14:50 2026
    (Merged from https://github.com/openssl/openssl/pull/31275)

diff --git a/providers/implementations/storemgmt/file_store_any2obj.c b/providers/implementations/storemgmt/file_store_any2obj.c
index 002560465a..2592ab04ab 100644
--- a/providers/implementations/storemgmt/file_store_any2obj.c
+++ b/providers/implementations/storemgmt/file_store_any2obj.c
@@ -336,6 +336,7 @@ static int raw2obj_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
     }

     BIO_free(in);
+    in = NULL;

     if (BUF_MEM_grow(mem, len) != len) {
         ERR_raise(ERR_LIB_PEM, ERR_R_BUF_LIB);