From 24d5881b307943abd98234d9533185b15a9e182f Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 3 Apr 2026 16:05:44 -0700 Subject: [PATCH 1/2] Ensure esd->signedAttribsCount contains the correct count in case some are skipped by using the current idx rather than the total array size. Thanks to Zou Dikai for the report. --- wolfcrypt/src/pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 9efec15ec7..c8ffb4b5ed 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -2252,7 +2252,7 @@ static int wc_PKCS7_BuildSignedAttributes(wc_PKCS7* pkcs7, ESD* esd, idx++; } - esd->signedAttribsCount += cannedAttribsCount; + esd->signedAttribsCount += idx; esd->signedAttribsSz += (word32)EncodeAttributes( &esd->signedAttribs[atrIdx], (int)idx, cannedAttribs, (int)cannedAttribsCount); From bcea3ea6b1debf25126f745a1f179f8ec1e7a1fc Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 3 Apr 2026 16:06:35 -0700 Subject: [PATCH 2/2] In wc_PKCS7_DecodeEnvelopedData, confirm encryptedContentTotalSz does not exceed the total message size before using it in the non-streaming case. Thanks to Zou Dikai for the report. --- wolfcrypt/src/pkcs7.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index c8ffb4b5ed..54967f938a 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -13217,6 +13217,11 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, } wc_PKCS7_DecryptContentFree(pkcs7, encOID, pkcs7->heap); } else { + if ((idx + (word32)encryptedContentTotalSz) > pkiMsgSz) { + ret = BUFFER_E; + break; + } + pkcs7->cachedEncryptedContentSz = (word32)encryptedContentTotalSz; pkcs7->totalEncryptedContentSz =