@@ -14380,9 +14380,17 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in,
1438014380 }
1438114381
1438214382 if (ret == 0) {
14383- XMEMCPY(encryptedContent, &pkiMsg[idx],
14383+ word32 tmpSum;
14384+ if (!WC_SAFE_SUM_WORD32(idx, (word32)encryptedContentSz,
14385+ tmpSum) ||
14386+ tmpSum > pkiMsgSz) {
14387+ ret = BUFFER_E;
14388+ break;
14389+ } else {
14390+ XMEMCPY(encryptedContent, &pkiMsg[idx],
1438414391 (word32)encryptedContentSz);
14385- idx += (word32)encryptedContentSz;
14392+ idx += (word32)encryptedContentSz;
14393+ }
1438614394 }
1438714395 #ifndef NO_PKCS7_STREAM
1438814396 pkcs7->stream->bufferPt = encryptedContent;
@@ -15316,16 +15324,22 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
1531615324 }
1531715325
1531815326 if (ret == 0) {
15319- XMEMCPY(encryptedContent, &pkiMsg[idx],
15320- (unsigned int)encryptedContentSz);
15321- idx += (word32)encryptedContentSz;
15322-
15323- /* decrypt encryptedContent */
15324- ret = wc_PKCS7_DecryptContent(pkcs7, encOID,
15325- pkcs7->encryptionKey, pkcs7->encryptionKeySz,
15326- tmpIv, expBlockSz, NULL, 0, NULL, 0,
15327- encryptedContent, encryptedContentSz,
15328- encryptedContent, pkcs7->devId, pkcs7->heap);
15327+ word32 tmpSum;
15328+ if (!WC_SAFE_SUM_WORD32(idx, (word32)encryptedContentSz, tmpSum) ||
15329+ tmpSum > pkiMsgSz) {
15330+ ret = BUFFER_E;
15331+ } else {
15332+ XMEMCPY(encryptedContent, &pkiMsg[idx],
15333+ (unsigned int)encryptedContentSz);
15334+ idx += (word32)encryptedContentSz;
15335+
15336+ /* decrypt encryptedContent */
15337+ ret = wc_PKCS7_DecryptContent(pkcs7, encOID,
15338+ pkcs7->encryptionKey, pkcs7->encryptionKeySz,
15339+ tmpIv, expBlockSz, NULL, 0, NULL, 0,
15340+ encryptedContent, encryptedContentSz,
15341+ encryptedContent, pkcs7->devId, pkcs7->heap);
15342+ }
1532915343 if (ret != 0) {
1533015344 XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
1533115345 }
0 commit comments