Fix for MDEV-11174:

A GCM encrypted ciphertext must contain an authentication tag with AES_BLOCK_SIZE length, so we need to check that the length of ciphertext is at least AES_BLOCK_SIZE.

Author: 9EOR9

mysys_ssl/my_crypt.cc

@@ -168,6 +168,9 @@ class MyCTX_gcm : public MyCTX
     */
     if (!ctx.encrypt)
     {
+      /* encrypted string must contain authenticaton tag (see MDEV-11174) */
+      if (slen < MY_AES_BLOCK_SIZE)
+        return MY_AES_BAD_DATA;
       slen-= MY_AES_BLOCK_SIZE;
       if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE,
                               (void*)(src + slen)))