@@ -14391,9 +14391,17 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in,
1439114391 }
1439214392
1439314393 if (ret == 0) {
14394- XMEMCPY(encryptedContent, &pkiMsg[idx],
14394+ word32 tmpSum;
14395+ if (!WC_SAFE_SUM_WORD32(idx, (word32)encryptedContentSz,
14396+ tmpSum) ||
14397+ tmpSum > pkiMsgSz) {
14398+ ret = BUFFER_E;
14399+ break;
14400+ } else {
14401+ XMEMCPY(encryptedContent, &pkiMsg[idx],
1439514402 (word32)encryptedContentSz);
14396- idx += (word32)encryptedContentSz;
14403+ idx += (word32)encryptedContentSz;
14404+ }
1439714405 }
1439814406 #ifndef NO_PKCS7_STREAM
1439914407 pkcs7->stream->bufferPt = encryptedContent;
@@ -15327,16 +15335,22 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
1532715335 }
1532815336
1532915337 if (ret == 0) {
15330- XMEMCPY(encryptedContent, &pkiMsg[idx],
15331- (unsigned int)encryptedContentSz);
15332- idx += (word32)encryptedContentSz;
15333-
15334- /* decrypt encryptedContent */
15335- ret = wc_PKCS7_DecryptContent(pkcs7, encOID,
15336- pkcs7->encryptionKey, pkcs7->encryptionKeySz,
15337- tmpIv, expBlockSz, NULL, 0, NULL, 0,
15338- encryptedContent, encryptedContentSz,
15339- encryptedContent, pkcs7->devId, pkcs7->heap);
15338+ word32 tmpSum;
15339+ if (!WC_SAFE_SUM_WORD32(idx, (word32)encryptedContentSz, tmpSum) ||
15340+ tmpSum > pkiMsgSz) {
15341+ ret = BUFFER_E;
15342+ } else {
15343+ XMEMCPY(encryptedContent, &pkiMsg[idx],
15344+ (unsigned int)encryptedContentSz);
15345+ idx += (word32)encryptedContentSz;
15346+
15347+ /* decrypt encryptedContent */
15348+ ret = wc_PKCS7_DecryptContent(pkcs7, encOID,
15349+ pkcs7->encryptionKey, pkcs7->encryptionKeySz,
15350+ tmpIv, expBlockSz, NULL, 0, NULL, 0,
15351+ encryptedContent, encryptedContentSz,
15352+ encryptedContent, pkcs7->devId, pkcs7->heap);
15353+ }
1534015354 if (ret != 0) {
1534115355 XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1534215356 }
0 commit comments