engine: fix double free on error path.

In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481.
If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8.
In the nop8 branch, p8 is freed again at line 491.

Bug reported by @Yunlongs

Fixes #14915

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

(cherry picked from commit efe8d69daa1a68be0a7f0f73220947c848e7ed1d)

diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c
index 9c9e3bd085068c0b2fd3da08ede2e16ac08c4a9b..258f71afecf32822ea57a5dd2aeb0a0e6b40fbb1 100644 (file)
--- a/crypto/store/loader_file.c
+++ b/crypto/store/loader_file.c
@@ -370,6 +370,7 @@ static OSSL_STORE_INFO *try_decode_PKCS8Encrypted(const char *pem_name,
     mem->data = (char *)new_data;
     mem->max = mem->length = (size_t)new_data_len;
     X509_SIG_free(p8);
+    p8 = NULL;
 
     store_info = ossl_store_info_new_EMBEDDED(PEM_STRING_PKCS8INF, mem);
     if (store_info == NULL) {