Fix OAEP key size check during encoding, and an array over-read when

decoding a message that was so large we decided it was invalid and
truncated it.

2 files changed, 7 insertions, 2 deletions

diff --git a/doc/relnotes/1_11_6.rst b/doc/relnotes/1_11_6.rst
index b51339791..79b2dca2e 100644
--- a/doc/relnotes/1_11_6.rst
+++ b/doc/relnotes/1_11_6.rst
@@ -1,6 +1,11 @@
 Version 1.11.6, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* OAEP had two bugs, one of which allowed it to be used even if the
+  key was too small, and the other of which would cause a crash during
+  decoding if the input was too large to have been created for the
+  associated key.
+
  * Botan now requires Boost, specifically the filesystem and asio libraries.
 
  * The default TLS policy no longer includes RC4 in the cipher list.
diff --git a/src/pk_pad/eme1/eme1.cpp b/src/pk_pad/eme1/eme1.cpp
index 57275d4f9..dadb44d0a 100644
--- a/src/pk_pad/eme1/eme1.cpp
+++ b/src/pk_pad/eme1/eme1.cpp
@@ -21,7 +21,7 @@ secure_vector<byte> EME1::pad(const byte in[], size_t in_length,
    {
    key_length /= 8;
 
-   if(in_length > key_length - 2*Phash.size() - 1)
+   if(key_length < in_length + 2*Phash.size() + 1)
       throw Invalid_Argument("EME1: Input is too large");
 
    secure_vector<byte> out(key_length);
@@ -82,7 +82,7 @@ secure_vector<byte> EME1::unpad(const byte in[], size_t in_length,
    * to timing analysis. Other compilers, or GCC on other platforms,
    * may or may not.
    */
-   for(size_t i = delim_idx; i != input.size(); ++i)
+   for(size_t i = delim_idx; i < input.size(); ++i)
       {
       const bool zero_p = !input[i];
       const bool one_p = input[i] == 0x01;