wolfSSL · embhorn · Oct 15, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/src/internal.c b/src/internal.c
@@ -10613,8 +10613,11 @@ static void AddHandShakeHeader(byte* output, word32 length,
     if (hs == NULL)
         return;
 
+    PRAGMA_GCC_DIAG_PUSH;
+    PRAGMA_GCC("GCC diagnostic ignored \"-Wnull-dereference\"");
     hs->type = type;
     c32to24(length, hs->length);         /* type and length same for each */
+    PRAGMA_GCC_DIAG_POP;
 #ifdef WOLFSSL_DTLS
     if (ssl->options.dtls) {
         DtlsHandShakeHeader* dtls;
@@ -14705,7 +14708,10 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
             if (idx >= 0) {
                 WOLFSSL_MSG("find hashed CRL in list");
                 ph = wolfSSL_sk_BY_DIR_HASH_value(entry->hashes, idx);
-                suffix = ph->last_suffix;
+                if (ph)
+                    suffix = ph->last_suffix;
+                else
+                    suffix = 0;
             } else {
                 ph = NULL;
                 suffix = 0;
@@ -23309,6 +23315,8 @@ int SendChangeCipher(WOLFSSL* ssl)
 
     /* get output buffer */
     output = GetOutputBuffer(ssl);
+    if (output == NULL)
+        return BUFFER_E;
 
     AddRecordHeader(output, 1, change_cipher_spec, ssl, CUR_ORDER);
 

diff --git a/src/ssl.c b/src/ssl.c
@@ -11549,15 +11549,17 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         #endif
             byte* myBuffer  = staticBuffer;
             int   dynamic   = 0;
-            word32 sending   = 0;
-            int   idx       = 0;
+            size_t sending   = 0;
+            size_t idx       = 0;
             int   i;
             int   ret;
 
             WOLFSSL_ENTER("wolfSSL_writev");
 
             for (i = 0; i < iovcnt; i++)
-                sending += iov[i].iov_len;
+                if (! WC_SAFE_SUM_UNSIGNED(size_t, sending, iov[i].iov_len,
+                                           sending))
+                    return BUFFER_E;
 
             if (sending > sizeof(staticBuffer)) {
                 myBuffer = (byte*)XMALLOC(sending, ssl->heap,

diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
@@ -13706,8 +13706,12 @@ static int AesXtsEncryptUpdate(XtsAes* xaes, byte* out, const byte* in, word32 s
     }
 
 #ifndef WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING
-    (void)WC_SAFE_SUM_WORD32(stream->bytes_crypted_with_this_tweak, sz,
-                             stream->bytes_crypted_with_this_tweak);
+    if (! WC_SAFE_SUM_WORD32(stream->bytes_crypted_with_this_tweak, sz,
+                             stream->bytes_crypted_with_this_tweak))
+    {
+        WOLFSSL_MSG("Overflow of stream->bytes_crypted_with_this_tweak "
+                    "in AesXtsEncryptUpdate().");
+    }
 #endif
 #if FIPS_VERSION3_GE(6,0,0)
     /* SP800-38E - Restrict data unit to 2^20 blocks per key. A block is
@@ -14144,15 +14148,20 @@ static int AesXtsDecryptUpdate(XtsAes* xaes, byte* out, const byte* in, word32 s
         return BAD_FUNC_ARG;
     }
 
-    if (stream->bytes_crypted_with_this_tweak & ((word32)WC_AES_BLOCK_SIZE - 1U))
+    if (stream->bytes_crypted_with_this_tweak &
+        ((word32)WC_AES_BLOCK_SIZE - 1U))
     {
-        WOLFSSL_MSG("Call to AesXtsDecryptUpdate after previous finalizing call");
+        WOLFSSL_MSG("AesXtsDecryptUpdate after previous finalizing call");
         return BAD_FUNC_ARG;
     }
 
 #ifndef WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING
-    (void)WC_SAFE_SUM_WORD32(stream->bytes_crypted_with_this_tweak, sz,
-                             stream->bytes_crypted_with_this_tweak);
+    if (! WC_SAFE_SUM_WORD32(stream->bytes_crypted_with_this_tweak, sz,
+                             stream->bytes_crypted_with_this_tweak))
+    {
+        WOLFSSL_MSG("Overflow of stream->bytes_crypted_with_this_tweak "
+                    "in AesXtsDecryptUpdate().");
+    }
 #endif
 
     {

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -29915,19 +29915,18 @@ static int EncodeName(EncodedName* name, const char* nameStr,
         ret = BAD_FUNC_ARG;
     }
 
-#ifdef WOLFSSL_CUSTOM_OID
-    if (ret == 0 && type == ASN_CUSTOM_NAME) {
-        if (cname == NULL || cname->custom.oidSz == 0) {
-            name->used = 0;
-            return 0;
-        }
-    }
-#else
-    (void)cname;
-#endif
-
-    CALLOC_ASNSETDATA(dataASN, rdnASN_Length, ret, NULL);
     if (ret == 0) {
+    #ifdef WOLFSSL_CUSTOM_OID
+        if (type == ASN_CUSTOM_NAME) {
+            if (cname == NULL || cname->custom.oidSz == 0) {
+                name->used = 0;
+                return 0;
+            }
+        }
+    #else
+        (void)cname;
+    #endif
+        CALLOC_ASNSETDATA(dataASN, rdnASN_Length, ret, NULL);
         nameSz = (word32)XSTRLEN(nameStr);
         /* Copy the RDN encoding template. ASN.1 tag for the name string is set
          * based on type. */

diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
@@ -462,8 +462,75 @@ enum {
 
 #define XELEM_CNT(x) (sizeof((x))/sizeof(*(x)))
 
-#define WC_SAFE_SUM_WORD32(in1, in2, out) ((in2) <= 0xffffffffU - (in1) ? \
-            ((out) = (in1) + (in2), 1) : ((out) = 0xffffffffU, 0))
+#ifdef NO_INLINE
+    #define WC_WUR_INT(x) (x)
+#else
+    static WC_INLINE WARN_UNUSED_RESULT int WC_WUR_INT(int x) { return x; }
+#endif
+
+#ifdef WORD64_AVAILABLE
+    #define WC_MAX_UINT_OF(x)                                        \
+        ((((word64)1 << ((sizeof(x) * (word64)CHAR_BIT) -            \
+                         (word64)1)) - (word64)1)                    \
+         |                                                           \
+         ((word64)1 << ((sizeof(x) * (word64)CHAR_BIT) - (word64)1)))
+    #define WC_MAX_SINT_OF(x)                                        \
+        ((sword64)((((word64)1 << ((sizeof(x) * (word64)CHAR_BIT) -  \
+                                   (word64)2)) - (word64)1)          \
+                   |                                                 \
+                   ((word64)1 << ((sizeof(x) * (word64)CHAR_BIT) -   \
+                                  (word64)2))))
+    #define WC_MIN_SINT_OF(x)                                        \
+        ((sword64)((word64)1 << ((sizeof(x) * (word64)CHAR_BIT) -    \
+                                 (word64)1)))
+#else
+    #define WC_MAX_UINT_OF(x)                                        \
+        ((((word32)1 << ((sizeof(x) * (word32)CHAR_BIT) -            \
+                         (word32)1)) - (word32)1)                    \
+         |                                                           \
+         ((word32)1 << ((sizeof(x) * (word32)CHAR_BIT) - (word32)1)))
+    #define WC_MAX_SINT_OF(x)                                        \
+        ((sword32)((((word32)1 << ((sizeof(x) * (word32)CHAR_BIT) -  \
+                                   (word32)2)) - (word32)1)          \
+                   |                                                 \
+                   ((word32)1 << ((sizeof(x) * (word32)CHAR_BIT) -   \
+                                  (word32)2))))
+    #define WC_MIN_SINT_OF(x)                                        \
+        ((sword32)((word32)1 << ((sizeof(x) * (word32)CHAR_BIT) -    \
+                                 (word32)1)))
+#endif
+
+#define WC_SAFE_SUM_UNSIGNED_NO_WUR(type, in1, in2, out)    \
+        ((in2) <= (WC_MAX_UINT_OF(type) - (in1)) ?          \
+         ((out) = (in1) + (in2), 1) :                       \
+         ((out) = WC_MAX_UINT_OF(type), 0))
+
+#define WC_SAFE_SUM_UNSIGNED(type, in1, in2, out)           \
+        WC_WUR_INT(WC_SAFE_SUM_UNSIGNED_NO_WUR(type, in1, in2, out))
+
+#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS) && FIPS_VERSION3_LE(6,0,0))
+    #define WC_SAFE_SUM_WORD32(in1, in2, out) \
+            WC_SAFE_SUM_UNSIGNED_NO_WUR(word32, in1, in2, out)
+#else
+    #define WC_SAFE_SUM_WORD32(in1, in2, out) \
+            WC_SAFE_SUM_UNSIGNED(word32, in1, in2, out)
+#endif
+
+#define WC_SAFE_SUM_SIGNED_NO_WUR(type, in1, in2, out)      \
+        ((((in1) > 0) && ((in2) > 0)) ?                     \
+             ((in2) <= WC_MAX_SINT_OF(type) - (in1) ?          \
+              ((out) = (in1) + (in2), 1) :                  \
+              ((out) = (type)WC_MAX_SINT_OF(type), 0))         \
+             :                                              \
+             ((((in1) < 0) && ((in2) < 0)) ?                \
+              ((in2) >= WC_MIN_SINT_OF(type) - (in1) ?         \
+               ((out) = (in1) + (in2), 1) :                 \
+               ((out) = (type)WC_MIN_SINT_OF(type), 0))        \
+              :                                             \
+              ((out) = (in1) + (in2), 1)))
+
+#define WC_SAFE_SUM_SIGNED(type, in1, in2, out)             \
+        WC_WUR_INT(WC_SAFE_SUM_SIGNED_NO_WUR(type, in1, in2, out))
 
 #if defined(HAVE_IO_POOL)
     WOLFSSL_API void* XMALLOC(size_t n, void* heap, int type);