From 06e5f8c39bcad93859b15e65491e3415671a5274 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 13 Mar 2019 10:00:43 -0600
Subject: [PATCH] sanity check on padlen with pkcs7 decode

---
 wolfcrypt/src/pkcs7.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 72b6c7ed1..4e679b861 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -9354,6 +9354,12 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
             padLen = encryptedContent[encryptedContentSz-1];
 
             /* copy plaintext to output */
+            if (padLen > encryptedContentSz ||
+                    (word32)(encryptedContentSz - padLen) > outputSz) {
+                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+                ret = BUFFER_E;
+                break;
+            }
             XMEMCPY(output, encryptedContent, encryptedContentSz - padLen);
 
             /* free memory, zero out keys */