From 97f0d6a6ad02ec71f6f144299d1b971b493d5d32 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 20 May 2024 14:20:27 +0100
Subject: [PATCH] openssl/oct: improve bound check for len

Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
 lib/openssl/oct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/openssl/oct.c b/lib/openssl/oct.c
index df4f0907..ef76b4ef 100644
--- a/lib/openssl/oct.c
+++ b/lib/openssl/oct.c
@@ -45,7 +45,7 @@ jwk_make_execute(jose_cfg_t *cfg, json_t *jwk)
     if (json_unpack(jwk, "{s:I}", "bytes", &len) < 0)
         return false;
 
-    if (len > KEYMAX)
+    if (len <= 0 || len > KEYMAX)
         return false;
 
     if (RAND_bytes(key, len) <= 0)