2 files changed, 16 insertions, 1 deletions

diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index b35eb62682..48a32bc264 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -79,7 +79,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
 	*(p++)=0;
 	*(p++)=1; /* Private Key BT (Block Type) */
 
-	/* padd out with 0xff data */
+	/* pad out with 0xff data */
 	j=tlen-3-flen;
 	memset(p,0xff,j);
 	p+=j;
@@ -130,6 +130,11 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
 		}
 	i++; /* Skip over the '\0' */
 	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
 	memcpy(to,p,(unsigned int)j);
 
 	return(j);
@@ -207,6 +212,11 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
 		}
 	i++; /* Skip over the '\0' */
 	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
 	memcpy(to,p,(unsigned int)j);
 
 	return(j);
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index 83dfc80c1d..81a857c813 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -142,6 +142,11 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned char *from,
 
 	i++; /* Skip over the '\0' */
 	j-=i;
+	if (j > tlen)
+		{
+		RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_DATA_TOO_LARGE);
+		return(-1);
+		}
 	memcpy(to,p,(unsigned int)j);
 
 	return(j);