wolfcrypt: validate API input sizes

This commit is contained in:
Jeremiah Mackey
2026-05-06 15:46:59 +00:00
parent 90eb7253b6
commit 8667bd0f92
2 changed files with 29 additions and 7 deletions
+8 -1
View File
@@ -24880,7 +24880,14 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
int wc_PemToDer(const unsigned char* buff, long longSz, int type,
DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat)
{
int ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
int ret;
if (buff == NULL || longSz <= 0) {
WOLFSSL_MSG("Bad pem der args");
return BAD_FUNC_ARG;
}
ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
#if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
if (ret == 0 && type == PRIVATEKEY_TYPE) {
DerBuffer* der = *pDer;
+21 -6
View File
@@ -221,6 +221,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
if (out == NULL || in == NULL) {
return BAD_FUNC_ARG;
}
/* Cap input so the initial doubling and additive growth in the loop
* cannot overflow word32 or the int return type. */
if (inSz > (word32)(INT_MAX / 2)) {
return BAD_FUNC_ARG;
}
i = (maxSz == 1)? 1 : 2; /* start with output buffer twice the size of input
* unless max was set to 1 */
@@ -229,7 +234,7 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
/* Check for source > 64K on 16-bit machine: */
if ((uLong)stream.avail_in != inSz) return DECOMPRESS_INIT_E;
tmpSz = inSz * i;
tmpSz = inSz * (word32)i;
tmp = (byte*)XMALLOC(tmpSz, heap, memoryType);
if (tmp == NULL)
return MEMORY_E;
@@ -278,6 +283,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
}
i++;
if (tmpSz > (word32)INT_MAX - inSz) {
WOLFSSL_MSG("Decompress buffer would exceed INT_MAX");
result = DECOMPRESS_E;
break;
}
newSz = tmpSz + inSz;
newTmp = (byte*)XMALLOC(newSz, heap, memoryType);
if (newTmp == NULL) {
@@ -295,13 +305,18 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
} while (result == Z_OK);
if (result == Z_STREAM_END) {
result = (int)stream.total_out;
*out = (byte*)XMALLOC(result, heap, memoryType);
if (*out != NULL) {
XMEMCPY(*out, tmp, result);
if (stream.total_out > (uLong)INT_MAX) {
result = DECOMPRESS_E;
}
else {
result = MEMORY_E;
result = (int)stream.total_out;
*out = (byte*)XMALLOC(result, heap, memoryType);
if (*out != NULL) {
XMEMCPY(*out, tmp, result);
}
else {
result = MEMORY_E;
}
}
}
else {