Scope PKCS7 truncation check to NO_PKCS7_STREAM and guard test underflow

- pkcs7.c: wrap the AuthEnvelopedData encryptedContentSz bounds check
  entirely in #ifdef NO_PKCS7_STREAM so the default streaming build
  carries no empty/no-op branch (behavior unchanged).
- test_pkcs7.c: assert the encoded size is >32 so the encSz-32 and
  encSz-1 truncations can't underflow.
This commit is contained in:
Colton Willey
2026-06-02 16:39:26 -07:00
parent 359fb7ecbd
commit 0ca238c50e
2 changed files with 4 additions and 3 deletions
+2 -1
View File
@@ -2895,8 +2895,9 @@ int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void)
pkcs7->contentOID = DATA;
pkcs7->encryptOID = AES128GCMb;
}
/* >32 so the encSz-32 / encSz-1 truncations below can't underflow */
ExpectIntGT(encSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped,
sizeof(enveloped)), 0);
sizeof(enveloped)), 32);
wc_PKCS7_Free(pkcs7);
pkcs7 = NULL;
+2 -2
View File
@@ -14968,11 +14968,11 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in,
}
}
#ifdef NO_PKCS7_STREAM
if (ret == 0 && encryptedContentSz > (int)(pkiMsgSz - idx)) {
#ifdef NO_PKCS7_STREAM
ret = BUFFER_E;
#endif
}
#endif
if (ret < 0)
break;