From 3d16f891d4b66a72ca6d1082c4c53fbc50215c91 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 14 Aug 2018 19:20:24 -0600
Subject: [PATCH] Fix to check for buffer overrrun with the additional padding
 in PKCS12 `EncryptContent` function.

---
 wolfcrypt/src/asn.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 2e08614e0..cf8f47baa 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -3245,12 +3245,17 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
     sz = SetLength(inputSz, out + inOutIdx);
     inOutIdx += sz; totalSz += sz;
 
-    /* adjust size to pad */
-    sz = Pkcs8Pad(out + inOutIdx, inputSz, blockSz);
+    /* get pad size and verify buffer room */
+    sz = Pkcs8Pad(NULL, inputSz, blockSz);
     if (sz + inOutIdx > *outSz)
         return BUFFER_E;
 
+    /* copy input to output buffer and pad end */
     XMEMCPY(out + inOutIdx, input, inputSz);
+    sz = Pkcs8Pad(out + inOutIdx, inputSz, blockSz);
+    totalSz += sz;
+
+    /* encrypt */
     if ((ret = wc_CryptKey(password, passwordSz, salt, saltSz, itt, id,
                    out + inOutIdx, sz, version, cbcIv, 1)) < 0) {
 
@@ -3265,7 +3270,6 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
     XFREE(cbcIv,   heap, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(saltTmp, heap, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
-    totalSz += sz;
 
     return totalSz;
 }