From 88af1a2932225659b3d3a31f1fcdcdad459fc545 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 5 Jul 2024 17:03:05 -0500
Subject: [PATCH] fixes for Coverity #394680, #394682, #394693, #394712.

---
 src/wolfio.c               | 5 +++++
 wolfcrypt/src/aes.c        | 4 ----
 wolfcrypt/src/rsa.c        | 5 ++++-
 wolfcrypt/src/wc_encrypt.c | 8 +++++++-
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/wolfio.c b/src/wolfio.c
index 72e8dda7f..52e61a55e 100644
--- a/src/wolfio.c
+++ b/src/wolfio.c
@@ -1612,6 +1612,11 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
 
         /* read data if no \r\n or first time */
         if ((start == NULL) || (end == NULL)) {
+            if (httpBufSz < len + 1) {
+                return BUFFER_ERROR; /* can't happen, but Coverity thinks it
+                                      * can.
+                                      */
+            }
             result = wolfIO_Recv(sfd, (char*)httpBuf+len, httpBufSz-len-1, 0);
             if (result > 0) {
                 len += result;
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index a4e4b4a36..8418fb079 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -12910,10 +12910,6 @@ int wc_AesXtsEncryptInit(XtsAes* xaes, const byte* i, word32 iSz,
         return BAD_FUNC_ARG;
     }
 
-    if (iSz < AES_BLOCK_SIZE) {
-        return BAD_FUNC_ARG;
-    }
-
     XMEMCPY(stream->tweak_block, i, AES_BLOCK_SIZE);
     stream->bytes_crypted_with_this_tweak = 0;
 
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index 5a9df2002..587e47c4b 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -4017,7 +4017,10 @@ int wc_RsaPSS_CheckPadding_ex2(const byte* in, word32 inSz, byte* sig,
 
     /* Sig = Salt | Exp Hash */
     if (ret == 0) {
-        if (sigSz != inSz + (word32)saltLen) {
+        word32 totalSz;
+        if ((WC_SAFE_SUM_WORD32(inSz, (word32)saltLen, totalSz) == 0) ||
+            (sigSz != totalSz))
+        {
             ret = PSS_SALTLEN_E;
         }
     }
diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c
index f26b41b73..3b6d87dda 100644
--- a/wolfcrypt/src/wc_encrypt.c
+++ b/wolfcrypt/src/wc_encrypt.c
@@ -545,9 +545,15 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 
                 ret =  wc_PKCS12_PBKDF(key, unicodePasswd, idx, salt, saltSz,
                                     iterations, (int)derivedLen, typeH, 1);
+                if (ret < 0)
+                    break;
                 if (id != PBE_SHA1_RC4_128) {
-                    ret += wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt,
+                    i = ret;
+                    ret = wc_PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt,
                                     saltSz, iterations, 8, typeH, 2);
+                    if (ret < 0)
+                        break;
+                    ret += i;
                 }
                 break;
             }