From 5b6b138964058ab8d30474bc9fdfb5ffcb3a4726 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 2 Apr 2026 16:41:55 -0700
Subject: [PATCH] Add sz check to ChachaAEADDecrypt to prevent potential
 underflow.

Thanks to Zou Dikai for the report.
---
 src/internal.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index ccc010acf7..d22b79394a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -20000,10 +20000,15 @@ int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
     byte tag[POLY1305_AUTH_SZ];
     byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
     int ret    = 0;
-    int msgLen = (sz - ssl->specs.aead_mac_size);
+    int msgLen = 0;
     Keys* keys = &ssl->keys;
     byte* seq = NULL;
 
+    if (sz < ssl->specs.aead_mac_size) {
+        return BAD_FUNC_ARG;
+    }
+    msgLen = (sz - ssl->specs.aead_mac_size);
+
     #ifdef CHACHA_AEAD_TEST
        int i;
        printf("input before decrypt :\n");