Fix SRTP KDF null-idx crash and X509 DER length hardening

ColtonWilley · ColtonWilley · commit f57a7b7521b0 · 2026-05-05T12:00:47.000-07:00
- wolfcrypt/src/kdf.c: Add null idx guard to wc_SRTP_KDF, wc_SRTCP_KDF,
  wc_SRTP_KDF_kdr_to_idx, and wc_KDF_SRTP_label
- src/x509.c: Add derCert-&gt;length &gt; INT_MAX check in wolfSSL_X509_get_der
  and derSz &lt;= 0 check in wolfSSL_i2d_X509
diff --git a/src/x509.c b/src/x509.c
@@ -4406,6 +4406,10 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
     if (x509 == NULL || x509->derCert == NULL || outSz == NULL)
         return NULL;
 
+    if (x509->derCert->length > (word32)INT_MAX) {
+        return NULL;
+    }
+
     *outSz = (int)x509->derCert->length;
     return x509->derCert->buffer;
 }
@@ -8676,7 +8680,7 @@ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out)
     }
 
     der = wolfSSL_X509_get_der(x509, &derSz);
-    if (der == NULL) {
+    if (der == NULL || derSz <= 0) {
         WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E);
         return MEMORY_E;
     }

Original file line number	Diff line number	Diff line change
`@@ -4406,6 +4406,10 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)`
`4406`	`4406`	`if (x509 == NULL \|\| x509->derCert == NULL \|\| outSz == NULL)`
`4407`	`4407`	`return NULL;`
`4408`	`4408`
	`4409`	`+ if (x509->derCert->length > (word32)INT_MAX) {`
	`4410`	`+ return NULL;`
	`4411`	`+ }`
	`4412`	`+`
`4409`	`4413`	`*outSz = (int)x509->derCert->length;`
`4410`	`4414`	`return x509->derCert->buffer;`
`4411`	`4415`	`}`
`@@ -8676,7 +8680,7 @@ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out)`
`8676`	`8680`	`}`
`8677`	`8681`
`8678`	`8682`	`der = wolfSSL_X509_get_der(x509, &derSz);`
`8679`		`- if (der == NULL) {`
	`8683`	`+ if (der == NULL \|\| derSz <= 0) {`
`8680`	`8684`	`WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E);`
`8681`	`8685`	`return MEMORY_E;`
`8682`	`8686`	`}`