From 4bd87a0c41002f6d347ed9fa6a1edc5bf95ab1f4 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 13 Sep 2021 05:34:23 +0700
Subject: [PATCH] sanity check on pkcs7 input size (#4386)

---
 wolfcrypt/src/pkcs7.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 30abed326..205fa946b 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -4276,6 +4276,11 @@ static int wc_PKCS7_ParseSignerInfo(PKCS7* pkcs7, byte* in, word32 inSz,
                 }
             }
 
+            if (ret == 0) {
+                if (length > (int)inSz - (int)idx)
+                    ret = BUFFER_E;
+            }
+
             if (ret == 0) {
                 ret = wc_PKCS7_SignerInfoSetSID(pkcs7, in + idx, length);
                 idx += length;
@@ -5244,6 +5249,11 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
                 if (pkiMsg != in && pkcs7->stream->length > 0) {
                     pkiMsg2Sz = pkcs7->stream->length;
                 }
+                else {
+                    /* if pkiMsg2 is pkiMsg and not using an internal stream
+                     * buffer then the size is limited by inSz */
+                    pkiMsg2Sz = inSz;
+                }
             }
 
             /* restore content */