Guard Windows absolute-path check with explicit length check

julek-wolfssl · julek-wolfssl · commit 634598f524c1 · 2026-04-16T17:14:06.000+02:00
The drive-letter branch indexed out[1] and out[2] relying on
short-circuit evaluation of NUL-termination. Add an explicit
outSz &gt;= 3 length check before the indexing to avoid any potential
out-of-bounds read that ASAN/UBSAN could flag.
diff --git a/src/x509/clu_x509_sign.c b/src/x509/clu_x509_sign.c
@@ -1049,11 +1049,14 @@ int wolfCLU_CertSignAppendOut(WOLFCLU_CERT_SIGN* csign, char* out)
         int currentSz = (int)XSTRLEN(csign->outDir);
 
         /* If out is an absolute path, use it directly instead of appending.
-         * Matches OpenSSL's ossl_is_absolute_path() behaviour. */
+         * Matches OpenSSL's ossl_is_absolute_path() behaviour. A drive-letter
+         * path (e.g. "C:\" or "C:/") requires at least 3 characters, so guard
+         * the indexing with an explicit length check. */
         if (out[0] == '/'
 #ifdef _WIN32
                 || out[0] == '\\'
-                || (isalpha((unsigned char)out[0]) && out[1] == ':'
+                || (outSz >= 3 && isalpha((unsigned char)out[0])
+                    && out[1] == ':'
                     && (out[2] == '\\' || out[2] == '/'))
 #endif
                 ) {
