From 72b26beb012c1812293b06d0f23f744b9b0bbfcf Mon Sep 17 00:00:00 2001
From: TristanInSec <tristan.mtn@gmail.com>
Date: Wed, 15 Apr 2026 18:27:08 -0400
Subject: [PATCH] Fix GetObjectId bounds in PKCS12 ContentInfo parsing

Bound GetObjectId() by the ContentInfo SEQUENCE end
(curIdx + curSz) instead of the full buffer size. This
prevents the OID TLV from being parsed past the SEQUENCE
boundary in the first place, complementing the post-check
added in PR #10018.

Previously, GetObjectId received (word32)size as maxIdx,
allowing it to read OID data beyond the ContentInfo SEQUENCE.
The post-check then caught this after the fact. With this
change, GetObjectId itself rejects an OID that would exceed
the SEQUENCE, so the over-read never occurs.
---
 wolfcrypt/src/pkcs12.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
index 0bea569f2d3..0f4f7ce4d6a 100644
--- a/wolfcrypt/src/pkcs12.c
+++ b/wolfcrypt/src/pkcs12.c
@@ -328,7 +328,7 @@ static int GetSafeContent(WC_PKCS12* pkcs12, const byte* input,
 
             curIdx = localIdx;
             if ((ret = GetObjectId(input, &localIdx, &oid, oidIgnoreType,
-                                                           (word32)size)) < 0) {
+                                       curIdx + (word32)curSz)) < 0) {
                 WOLFSSL_LEAVE("Get object id failed", ret);
                 freeSafe(safe, pkcs12->heap);
                 return ret;