From 0ca238c50e35fc3fc2de6b697b1c83c7470c1d50 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Tue, 2 Jun 2026 16:39:26 -0700 Subject: [PATCH] Scope PKCS7 truncation check to NO_PKCS7_STREAM and guard test underflow - pkcs7.c: wrap the AuthEnvelopedData encryptedContentSz bounds check entirely in #ifdef NO_PKCS7_STREAM so the default streaming build carries no empty/no-op branch (behavior unchanged). - test_pkcs7.c: assert the encoded size is >32 so the encSz-32 and encSz-1 truncations can't underflow. --- tests/api/test_pkcs7.c | 3 ++- wolfcrypt/src/pkcs7.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/api/test_pkcs7.c b/tests/api/test_pkcs7.c index b86262f112..810573a6d1 100644 --- a/tests/api/test_pkcs7.c +++ b/tests/api/test_pkcs7.c @@ -2895,8 +2895,9 @@ int test_wc_PKCS7_DecodeAuthEnvelopedData_truncated(void) pkcs7->contentOID = DATA; pkcs7->encryptOID = AES128GCMb; } + /* >32 so the encSz-32 / encSz-1 truncations below can't underflow */ ExpectIntGT(encSz = wc_PKCS7_EncodeAuthEnvelopedData(pkcs7, enveloped, - sizeof(enveloped)), 0); + sizeof(enveloped)), 32); wc_PKCS7_Free(pkcs7); pkcs7 = NULL; diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index bb42fca82d..5ab3c54e34 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -14968,11 +14968,11 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, } } + #ifdef NO_PKCS7_STREAM if (ret == 0 && encryptedContentSz > (int)(pkiMsgSz - idx)) { - #ifdef NO_PKCS7_STREAM ret = BUFFER_E; - #endif } + #endif if (ret < 0) break;