From 42f453dd2490546b1775418753e4ee250c7c301b Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 10 Jul 2026 16:05:55 -0700 Subject: [PATCH 1/3] Use safe sum for certSz in PKCS7_VerifySignedData. Reported-by: Andrew Chin --- wolfcrypt/src/pkcs7.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 882a2af1ae..e4794385ed 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -7756,7 +7756,11 @@ static int PKCS7_VerifySignedData(wc_PKCS7* pkcs7, const byte* hashBuf, ret = ASN_PARSE_E; cert = &pkiMsg2[idx]; - certSz += (int)(certIdx - idx); + if (!WC_SAFE_SUM_SIGNED(int, certSz, + (int)(certIdx - idx), certSz)) { + ret = BUFFER_E; + break; + } if (certSz > length) { ret = BUFFER_E; break; From 8f3f18a1d1a2d254421b05780472532def877cdd Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 10 Jul 2026 16:14:05 -0700 Subject: [PATCH 2/3] Also use safe sum for length in PKCS7_VerifySignedData. --- wolfcrypt/src/pkcs7.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index e4794385ed..3578f7b5de 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -7641,8 +7641,10 @@ static int PKCS7_VerifySignedData(wc_PKCS7* pkcs7, const byte* hashBuf, WOLFSSL_MSG("certificate set found"); - /* adjust cert length */ - length += (int)(localIdx - certIdx); + if (!WC_SAFE_SUM_SIGNED(int, length, + (int)(localIdx - certIdx), length)) { + ret = ASN_PARSE_E; + } idx = certIdx; } } From f8d59055972d89df029ae493d95c64863471ab85 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 10 Jul 2026 16:35:33 -0700 Subject: [PATCH 3/3] Code review feedback --- wolfcrypt/src/pkcs7.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 3578f7b5de..8ca153d470 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -7645,7 +7645,9 @@ static int PKCS7_VerifySignedData(wc_PKCS7* pkcs7, const byte* hashBuf, (int)(localIdx - certIdx), length)) { ret = ASN_PARSE_E; } - idx = certIdx; + else { + idx = certIdx; + } } } /* in case certificates set has definite length */