Commit 78dd798232 for openssl.org

commit 78dd79823215ff37a51d977b47cf0bcb4798cee2
Author: rootvector2 <dxbnaveed.k@gmail.com>
Date:   Sat May 30 00:46:16 2026 +0530

    rsa_sig: reject short buffers in raw verify_recover

    The md==NULL path of rsa_verify_recover passed the caller buffer to
    RSA_public_decrypt without checking routsize, while the X9.31 and PKCS#1
    paths already reject undersized output buffers. RSA_public_decrypt writes
    up to RSA_size() bytes, so a short rout overflows. Validate routsize
    against RSA_size() before the call.

    Fixes: 6f4b7663150e "PROV: add RSA signature implementation"

    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
    MergeDate: Tue Jun  2 11:55:00 2026
    (Merged from https://github.com/openssl/openssl/pull/31340)

diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
index 43f648e2d4..f2be3fd94c 100644
--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
@@ -1016,6 +1016,14 @@ static int rsa_verify_recover(void *vprsactx,
             return 0;
         }
     } else {
+        int rsasize = RSA_size(prsactx->rsa);
+
+        if (routsize < (size_t)rsasize) {
+            ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
+                "buffer size is %d, should be %d",
+                routsize, rsasize);
+            return 0;
+        }
         ret = RSA_public_decrypt((int)siglen, sig, rout, prsactx->rsa,
             prsactx->pad_mode);
         if (ret <= 0) {