pvkfmt: check keylen before copying the BLOBHEADER

Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31352)

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 9bfbb01e430aa77b8af8e8b232550143c703d4b1..31b46183a404390f3343831a3ed5f4e298903559 100644 (file)
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -893,13 +893,13 @@ static void *do_PVK_body_key(const unsigned char **in,
                 (unsigned char *)psbuf, inlen, libctx, propq))
             goto err;
         p += saltlen;
-        /* Copy BLOBHEADER across, decrypt rest */
-        memcpy(enctmp, p, 8);
-        p += 8;
         if (keylen < 8) {
             ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
             goto err;
         }
+        /* Copy BLOBHEADER across, decrypt rest */
+        memcpy(enctmp, p, 8);
+        p += 8;
         inlen = keylen - 8;
         q = enctmp + 8;
         if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)