From f8726148dfa6407c33b71e437273e79d1252b8f2 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Tue, 23 Jul 2024 19:07:32 -0500
Subject: [PATCH] wolfcrypt/src/aes.c: in wc_AesGcmEncrypt() and
 wc_AesGcmDecrypt(), check and return BAD_FUNC_ARG for nonzero sizes
 associated with null pointers.

---
 wolfcrypt/src/aes.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 247cd3c777..747c22c70e 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -8308,7 +8308,10 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     int ret;
 
     /* argument checks */
-    if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0) {
+    if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0 ||
+        ((authTagSz > 0) && (authTag == NULL)) ||
+        ((authInSz > 0) && (authIn == NULL)))
+    {
         return BAD_FUNC_ARG;
     }
 
@@ -8437,8 +8440,8 @@ int  wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
      * in and out are don't cares, as this is is the GMAC case. */
     if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
         authTag == NULL || authTagSz > AES_BLOCK_SIZE || authTagSz == 0 ||
-        ivSz == 0) {
-
+        ivSz == 0 || ((authInSz > 0) && (authIn == NULL)))
+    {
         return BAD_FUNC_ARG;
     }