From b41ce0427c7295412a2c417fe4063c323d69af4d Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 1 Nov 2024 12:43:08 -0500
Subject: [PATCH] src/pk.c: in pem_read_bio_key(), fix invalid read (ZD#18875).

---
 src/pk.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/pk.c b/src/pk.c
index a78ec130c..d8fdf2d85 100644
--- a/src/pk.c
+++ b/src/pk.c
@@ -165,7 +165,26 @@ static int pem_read_bio_key(WOLFSSL_BIO* bio, wc_pem_password_cb* cb,
         /* Write left over data back to BIO if not a file BIO */
         if ((ret > 0) && ((memSz - ret) > 0) &&
                  (bio->type != WOLFSSL_BIO_FILE)) {
-            int res = wolfSSL_BIO_write(bio, mem + ret, memSz - ret);
+            int res;
+            if (!alloced) {
+                /* If wolfssl_read_bio() points mem at the buffer internal to
+                 * bio, we need to dup it before calling wolfSSL_BIO_write(),
+                 * because the latter may reallocate the bio, invalidating the
+                 * mem pointer before reading from it.
+                 */
+                char *mem_dup = (char *)XMALLOC((size_t)(memSz - ret),
+                                                NULL, DYNAMIC_TYPE_TMP_BUFFER);
+                if (mem_dup != NULL) {
+                    XMEMCPY(mem_dup, mem + ret, (size_t)(memSz - ret));
+                    res = wolfSSL_BIO_write(bio, mem_dup, memSz - ret);
+                    mem = mem_dup;
+                    alloced = 1;
+                }
+                else
+                    res = MEMORY_E;
+            }
+            else
+                res = wolfSSL_BIO_write(bio, mem + ret, memSz - ret);
             if (res != memSz - ret) {
                 WOLFSSL_ERROR_MSG("Unable to write back excess data");
                 if (res < 0) {