commit 2fc14c59ca0eb275dfb9308e9d1d89a1dcbc2a24
Author: Matt Caswell <matt@openssl.org>
Date:   Tue Dec 13 14:54:55 2022 +0000

    Avoid dangling ptrs in header and data params for PEM_read_bio_ex
    
    In the event of a failure in PEM_read_bio_ex() we free the buffers we
    allocated for the header and data buffers. However we were not clearing
    the ptrs stored in *header and *data. Since, on success, the caller is
    responsible for freeing these ptrs this can potentially lead to a double
    free if the caller frees them even on failure.
    
    Thanks to Dawei Wang for reporting this issue.
    
    Based on a proposed patch by Kurt Roeckx.
    
    CVE-2022-4450

Index: openssl-1.1.1l/crypto/pem/pem_lib.c
===================================================================
--- openssl-1.1.1l.orig/crypto/pem/pem_lib.c
+++ openssl-1.1.1l/crypto/pem/pem_lib.c
@@ -954,7 +954,9 @@ int PEM_read_bio_ex(BIO *bp, char **name
     *data = pem_malloc(len, flags);
     if (*header == NULL || *data == NULL) {
         pem_free(*header, flags, 0);
+        *header = NULL;
         pem_free(*data, flags, 0);
+        *data = NULL;
         goto end;
     }
     BIO_read(headerB, *header, headerlen);