From d701a0a06e2c70c96af6c9ab5d641e1f47013368 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 25 Apr 2023 08:30:33 -0700
Subject: [PATCH] add sanity check on PKCS7 index value

---
 wolfcrypt/src/pkcs7.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index e36f05a91..437327712 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -9733,6 +9733,10 @@ static int wc_PKCS7_DecryptKekri(PKCS7* pkcs7, byte* in, word32 inSz,
                 *idx += (dateLen + 1);
             }
 
+            if (*idx > pkiMsgSz) {
+                return ASN_PARSE_E;
+            }
+
             /* may have OPTIONAL OtherKeyAttribute */
             localIdx = *idx;
             if ((*idx < kekIdSz) && GetASNTag(pkiMsg, &localIdx, &tag,
@@ -9745,6 +9749,10 @@ static int wc_PKCS7_DecryptKekri(PKCS7* pkcs7, byte* in, word32 inSz,
                 *idx += length;
             }
 
+            if (*idx > pkiMsgSz) {
+                return ASN_PARSE_E;
+            }
+
             /* get KeyEncryptionAlgorithmIdentifier */
             if (GetAlgoId(pkiMsg, idx, &keyWrapOID, oidKeyWrapType, pkiMsgSz) < 0)
                 return ASN_PARSE_E;