Rfc3394WrapEngine: check input length in Unwrap

2 files changed, 21 insertions, 5 deletions

diff --git a/crypto/src/crypto/engines/RFC3394WrapEngine.cs b/crypto/src/crypto/engines/RFC3394WrapEngine.cs
index e68e45365..ff3a4e0a0 100644
--- a/crypto/src/crypto/engines/RFC3394WrapEngine.cs
+++ b/crypto/src/crypto/engines/RFC3394WrapEngine.cs
@@ -128,6 +128,10 @@ namespace Org.BouncyCastle.Crypto.Engines
 			{
 				throw new InvalidOperationException("not set for unwrapping");
 			}
+            if (inLen < iv.Length)
+            {
+                throw new InvalidCipherTextException("unwrap data too short");
+            }
 
 			int n = inLen / 8;
 
diff --git a/crypto/test/src/crypto/test/AESWrapTest.cs b/crypto/test/src/crypto/test/AESWrapTest.cs
index beaa3d3cd..7d9bcd497 100644
--- a/crypto/test/src/crypto/test/AESWrapTest.cs
+++ b/crypto/test/src/crypto/test/AESWrapTest.cs
@@ -163,23 +163,35 @@ namespace Org.BouncyCastle.Crypto.Tests
 			}
 
 			//
-			// short test
+			// short tests
 			//
 			try
 			{
 				wrapper.Init(false, key);
 
-				wrapper.Unwrap(buf, 0, buf.Length / 2);
+				wrapper.Unwrap(buf, 0, 0);
 
-				return new SimpleTestResult(false, Name + ": failed unwrap short test.");
+				return new SimpleTestResult(false, Name + ": failed unwrap short test 1.");
 			}
 			catch (InvalidCipherTextException)
 			{
 				// expected
 			}
+            try
+            {
+                wrapper.Init(false, key);
 
-			try
-			{
+                wrapper.Unwrap(buf, 0, buf.Length / 2);
+
+                return new SimpleTestResult(false, Name + ": failed unwrap short test 2.");
+            }
+            catch (InvalidCipherTextException)
+            {
+                // expected
+            }
+
+            try
+            {
 				wrapper.Init(true, key);
 
 				wrapper.Wrap(buf, 0, 15);