From: rootvector2 <dxbnaveed.k@gmail.com>
Date: Mon, 1 Jun 2026 14:28:09 +0000 (+0530)
Subject: pvkfmt: check keylen before copying the BLOBHEADER
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2b48f060d097c33dd36613ca7071167f5cfc118;p=thirdparty%2Fopenssl.git

pvkfmt: check keylen before copying the BLOBHEADER

Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Jun 10 11:12:39 2026
(Merged from https://github.com/openssl/openssl/pull/31352)
---

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 9bfbb01e430..31b46183a40 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -893,13 +893,13 @@ static void *do_PVK_body_key(const unsigned char **in,
                 (unsigned char *)psbuf, inlen, libctx, propq))
             goto err;
         p += saltlen;
-        /* Copy BLOBHEADER across, decrypt rest */
-        memcpy(enctmp, p, 8);
-        p += 8;
         if (keylen < 8) {
             ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
             goto err;
         }
+        /* Copy BLOBHEADER across, decrypt rest */
+        memcpy(enctmp, p, 8);
+        p += 8;
         inlen = keylen - 8;
         q = enctmp + 8;
         if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)