do bounds check on full word32 size to match

jpbland1 · jpbland1 · commit e1435e96d22d · 2024-01-03T17:21:08.000-05:00
inputBuffer length
diff --git a/src/internal.c b/src/internal.c
@@ -21162,16 +21162,19 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
                 ssl->keys.decryptedCur = 1;
 #ifdef WOLFSSL_TLS13
                 if (ssl->options.tls1_3) {
-                    /* end of plaintext */
-                    word16 i = (word16)(ssl->buffers.inputBuffer.idx +
-                                 ssl->curSize - ssl->specs.aead_mac_size);
-
-                    /* check i isn't too big and won't wrap around on --i */
-                    if (i > ssl->buffers.inputBuffer.length || i == 0) {
+                    /* check that the end of the logical length doesn't extend
+                     * past the real buffer */
+                    word32 boundsCheck = (ssl->buffers.inputBuffer.idx +
+                        ssl->curSize - ssl->specs.aead_mac_size);
+                    if (boundsCheck > ssl->buffers.inputBuffer.length ||
+                        boundsCheck == 0) {
                         WOLFSSL_ERROR(BUFFER_ERROR);
                         return BUFFER_ERROR;
                     }
 
+                    /* end of plaintext */
+                    word16 i = (word16)(boundsCheck);
+
                     /* Remove padding from end of plain text. */
                     for (--i; i > ssl->buffers.inputBuffer.idx; i--) {
                         if (ssl->buffers.inputBuffer.buffer[i] != 0)
