wolfcrypt: validate API input sizes

JeremiahM37 · JeremiahM37 · commit 0d6adc71ad59 · 2026-05-06T16:01:03.000Z
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -24855,7 +24855,14 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
 int wc_PemToDer(const unsigned char* buff, long longSz, int type,
               DerBuffer** pDer, void* heap, EncryptedInfo* info, int* keyFormat)
 {
-    int ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
+    int ret;
+
+    if (buff == NULL || longSz <= 0) {
+        WOLFSSL_MSG("Bad pem der args");
+        return BAD_FUNC_ARG;
+    }
+
+    ret = PemToDer(buff, longSz, type, pDer, heap, info, keyFormat);
 #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
     if (ret == 0 && type == PRIVATEKEY_TYPE) {
         DerBuffer* der = *pDer;
diff --git a/wolfcrypt/src/compress.c b/wolfcrypt/src/compress.c
@@ -221,6 +221,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
     if (out == NULL || in == NULL) {
         return BAD_FUNC_ARG;
     }
+    /* Cap input so the initial doubling and additive growth in the loop
+     * cannot overflow word32 or the int return type. */
+    if (inSz > (word32)(INT_MAX / 2)) {
+        return BAD_FUNC_ARG;
+    }
     i = (maxSz == 1)? 1 : 2; /* start with output buffer twice the size of input
                               * unless max was set to 1 */
 
@@ -229,7 +234,7 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
     /* Check for source > 64K on 16-bit machine: */
     if ((uLong)stream.avail_in != inSz) return DECOMPRESS_INIT_E;
 
-    tmpSz = inSz * i;
+    tmpSz = inSz * (word32)i;
     tmp = (byte*)XMALLOC(tmpSz, heap, memoryType);
     if (tmp == NULL)
         return MEMORY_E;
@@ -278,6 +283,11 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
             }
             i++;
 
+            if (tmpSz > (word32)INT_MAX - inSz) {
+                WOLFSSL_MSG("Decompress buffer would exceed INT_MAX");
+                result = DECOMPRESS_E;
+                break;
+            }
             newSz = tmpSz + inSz;
             newTmp = (byte*)XMALLOC(newSz, heap, memoryType);
             if (newTmp == NULL) {
@@ -295,13 +305,18 @@ int wc_DeCompressDynamic(byte** out, int maxSz, int memoryType,
     } while (result == Z_OK);
 
     if (result == Z_STREAM_END) {
-        result = (int)stream.total_out;
-        *out   = (byte*)XMALLOC(result, heap, memoryType);
-        if (*out != NULL) {
-            XMEMCPY(*out, tmp, result);
+        if (stream.total_out > (uLong)INT_MAX) {
+            result = DECOMPRESS_E;
         }
         else {
-            result = MEMORY_E;
+            result = (int)stream.total_out;
+            *out   = (byte*)XMALLOC(result, heap, memoryType);
+            if (*out != NULL) {
+                XMEMCPY(*out, tmp, result);
+            }
+            else {
+                result = MEMORY_E;
+            }
         }
     }
     else {
