add check to prevent integer underflow

Author: rlm2002

src/internal.c

@@ -21240,7 +21240,8 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
     if (ssl->specs.cipher_type == block) {
 #ifdef HAVE_ENCRYPT_THEN_MAC
         if (ssl->options.startedETMRead) {
-            if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
+            if (encryptSz < minLength ||
+                (encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
                 WOLFSSL_MSG("Block ciphertext not block size");
                 WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
                 return SANITY_CIPHER_E;