From ec18ae0fbcc17a10ce29c6eb59b0a5aa4e6a231e Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Sun, 28 Jul 2019 19:21:09 -0600
Subject: [PATCH] add aditional sanity checks on buffer

---
 wolfcrypt/src/pkcs7.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 8931d68ee..b5cc3fae6 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -4146,6 +4146,9 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                         NO_USER_CHECK) <= 0)
                 ret = ASN_PARSE_E;
 
+            if (localIdx >= pkiMsgSz) {
+                ret = BUFFER_E;
+            }
 
             /* get length of content in the case that there is multiple parts */
             if (ret == 0 && pkiMsg[localIdx] == (ASN_OCTET_STRING | ASN_CONSTRUCTED)) {
@@ -4159,6 +4162,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
 
                 /* Check whether there is one OCTET_STRING inside. */
                 start = localIdx;
+                if (localIdx >= pkiMsgSz) {
+                    ret = BUFFER_E;
+                }
+
                 if (ret == 0 && pkiMsg[localIdx++] != ASN_OCTET_STRING)
                     ret = ASN_PARSE_E;