From 8667bd0f92e6cbbb2c7cfe7705f6da420b31e982 Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Wed, 6 May 2026 15:46:59 +0000 Subject: [PATCH] wolfcrypt: validate API input sizes --- wolfcrypt/src/asn.c | 9 ++++++++- wolfcrypt/src/compress.c | 27 +++++++++++++++++++++------ 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3b416d110b..ade5529a6d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -24880,7 +24880,14 @@ int PemToDer(const unsigned char* buff, long longSz, int type, int wc_PemToDer(const unsigned char* buff, long longSz, int type, DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat) { - int ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat); + int ret; + + if (buff == NULL || longSz <= 0) { + WOLFSSL_MSG("Bad pem der args"); + return BAD_FUNC_ARG; + } + + ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat); #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12) if (ret == 0 && type == PRIVATEKEY_TYPE) { DerBuffer* der = *pDer; diff --git a/wolfcrypt/src/compress.c b/wolfcrypt/src/compress.c index 17bfe07010..63f58fbd4f 100644 --- a/wolfcrypt/src/compress.c +++ b/wolfcrypt/src/compress.c @@ -221,6 +221,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType, if (out == NULL || in == NULL) { return BAD_FUNC_ARG; } + /* Cap input so the initial doubling and additive growth in the loop + * cannot overflow word32 or the int return type. */ + if (inSz > (word32)(INT_MAX / 2)) { + return BAD_FUNC_ARG; + } i = (maxSz == 1)? 1 : 2; /* start with output buffer twice the size of input * unless max was set to 1 */ @@ -229,7 +234,7 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType, /* Check for source > 64K on 16-bit machine: */ if ((uLong)stream.avail_in != inSz) return DECOMPRESS_INIT_E; - tmpSz = inSz * i; + tmpSz = inSz * (word32)i; tmp = (byte*)XMALLOC(tmpSz, heap, memoryType); if (tmp == NULL) return MEMORY_E; @@ -278,6 +283,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType, } i++; + if (tmpSz > (word32)INT_MAX - inSz) { + WOLFSSL_MSG("Decompress buffer would exceed INT_MAX"); + result = DECOMPRESS_E; + break; + } newSz = tmpSz + inSz; newTmp = (byte*)XMALLOC(newSz, heap, memoryType); if (newTmp == NULL) { @@ -295,13 +305,18 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType, } while (result == Z_OK); if (result == Z_STREAM_END) { - result = (int)stream.total_out; - *out = (byte*)XMALLOC(result, heap, memoryType); - if (*out != NULL) { - XMEMCPY(*out, tmp, result); + if (stream.total_out > (uLong)INT_MAX) { + result = DECOMPRESS_E; } else { - result = MEMORY_E; + result = (int)stream.total_out; + *out = (byte*)XMALLOC(result, heap, memoryType); + if (*out != NULL) { + XMEMCPY(*out, tmp, result); + } + else { + result = MEMORY_E; + } } } else {