From f62d0fa2569a1c6d4d37f988e3dd31faf22dca63 Mon Sep 17 00:00:00 2001
From: Ruby Martin <ruby@wolfssl.com>
Date: Mon, 7 Jul 2025 11:51:29 -0600
Subject: [PATCH 1/3] check sigAlgs.size against WOLFSSL_MAX_SIGALGO

---
 src/dtls.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/dtls.c b/src/dtls.c
index 2d3c38bef..2ef5ab1bd 100644
--- a/src/dtls.c
+++ b/src/dtls.c
@@ -678,6 +678,8 @@ static int SendStatelessReplyDtls13(const WOLFSSL* ssl, WolfSSL_CH* ch)
             ERROR_OUT(BUFFER_ERROR, dtls13_cleanup);
         if ((sigAlgs.size % 2) != 0)
             ERROR_OUT(BUFFER_ERROR, dtls13_cleanup);
+        if (sigAlgs.size > WOLFSSL_MAX_SIGALGO)
+            ERROR_OUT(BUFFER_ERROR, dtls13_cleanup);
         suites.hashSigAlgoSz = (word16)sigAlgs.size;
         XMEMCPY(suites.hashSigAlgo, sigAlgs.elements, sigAlgs.size);
         haveSA = 1;

From 7b7c658668af8d52f19c4473e2fca319d27151d3 Mon Sep 17 00:00:00 2001
From: Ruby Martin <ruby@wolfssl.com>
Date: Mon, 7 Jul 2025 14:10:41 -0600
Subject: [PATCH 2/3] add null check to wc_Des_CbcEncrypt

---
 wolfcrypt/src/des3.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c
index adefaa229..4ab5b7415 100644
--- a/wolfcrypt/src/des3.c
+++ b/wolfcrypt/src/des3.c
@@ -1727,6 +1727,10 @@
     {
         word32 blocks = sz / DES_BLOCK_SIZE;
 
+        if (des == NULL || out == NULL || in == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
         while (blocks--) {
             xorbuf((byte*)des->reg, in, DES_BLOCK_SIZE);
             DesProcessBlock(des, (byte*)des->reg, (byte*)des->reg);

From 6de2557748a51d7a9edaf1db8aa115071bda3f6b Mon Sep 17 00:00:00 2001
From: Ruby Martin <ruby@wolfssl.com>
Date: Wed, 9 Jul 2025 09:58:44 -0600
Subject: [PATCH 3/3] check buflen is less than BLAKE2B_BLOCKBYTES * 2

---
 wolfcrypt/src/blake2b.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wolfcrypt/src/blake2b.c b/wolfcrypt/src/blake2b.c
index c1f3e7a80..311d19148 100644
--- a/wolfcrypt/src/blake2b.c
+++ b/wolfcrypt/src/blake2b.c
@@ -356,6 +356,8 @@ int blake2b_final( blake2b_state *S, byte *out, byte outlen )
     }
 
     S->buflen -= BLAKE2B_BLOCKBYTES;
+    if ( S->buflen >= (BLAKE2B_BLOCKBYTES * 2) )
+      return BAD_LENGTH_E;
     XMEMCPY( S->buf, S->buf + BLAKE2B_BLOCKBYTES, (wolfssl_word)S->buflen );
   }