sanity check on pkcs7 input size (#4386)

2025-08-01 03:34:39 +02:00 · 2021-09-13 05:34:23 +07:00
parent 42db91e454
commit 4bd87a0c41
1 changed files with 10 additions and 0 deletions
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -4276,6 +4276,11 @@ static int wc_PKCS7_ParseSignerInfo(PKCS7* pkcs7, byte* in, word32 inSz,
                }
            }

+            if (ret == 0) {
+                if (length > (int)inSz - (int)idx)
+                    ret = BUFFER_E;
+            }
+
            if (ret == 0) {
                ret = wc_PKCS7_SignerInfoSetSID(pkcs7, in + idx, length);
                idx += length;
@@ -5244,6 +5249,11 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                if (pkiMsg != in && pkcs7->stream->length > 0) {
                    pkiMsg2Sz = pkcs7->stream->length;
                }
+                else {
+                    /* if pkiMsg2 is pkiMsg and not using an internal stream
+                     * buffer then the size is limited by inSz */
+                    pkiMsg2Sz = inSz;
+                }
            }

            /* restore content */