Fix a heap buffer overflow with mismatched PEM structure ZD13097

src/ssl.c

@@ -43737,7 +43737,7 @@ err:
         }
 
         /* Read the header and footer */
-        while (wolfSSL_BIO_read(bio, &pem[i], 1) == 1) {
+        while (i < l && wolfSSL_BIO_read(bio, &pem[i], 1) == 1) {
             i++;
             if (!header) {
                 header = XSTRNSTR(pem, "-----BEGIN ", (unsigned int)i);
@@ -43769,7 +43769,9 @@ err:
                 if (footerEnd) {
                     footerEnd += XSTR_SIZEOF("-----");
                     /* Now check that footer matches header */
-                    if (XMEMCMP(header + XSTR_SIZEOF("-----BEGIN "),
+                    if ((headerEnd - (header + XSTR_SIZEOF("-----BEGIN "))) ==
+                        (footerEnd - (footer + XSTR_SIZEOF("-----END "))) &&
+                        XMEMCMP(header + XSTR_SIZEOF("-----BEGIN "),
                                 footer + XSTR_SIZEOF("-----END "),
                         headerEnd - (header + XSTR_SIZEOF("-----BEGIN ")))
                             != 0) {

tests/api.c

@@ -29683,6 +29683,11 @@ static void test_wolfSSL_X509_INFO(void)
     X509_INFO *info;
     BIO *cert;
     int i;
+    byte data[] = {
+        "---------BEGIN CERTc-----\n"
+        "MIIDMTBuQ=\n"
+        "-----END -----"
+    };
 
     printf(testingFmt, "wolfSSL_X509_INFO");
 
@@ -29701,6 +29706,13 @@ static void test_wolfSSL_X509_INFO(void)
     sk_X509_INFO_free(info_stack);
     BIO_free(cert);
 
+    /* This case should fail due to invalid input. */
+    AssertNotNull(cert = BIO_new(BIO_s_mem()));
+    AssertIntEQ(BIO_write(cert, data, sizeof(data)), sizeof(data));
+    AssertNull(info_stack = PEM_X509_INFO_read_bio(cert, NULL, NULL, NULL));
+    sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
+    BIO_free(cert);
+
     printf(resultFmt, passed);
 #endif
 }