--- h:\prj\1original\openssl\openssl\crypto\pem\pvkfmt.c	2010-05-14 15:18:17.000000000 +-0200
+++ h:\prj\3actual\openssl\crypto\pem\pvkfmt.c	2010-04-30 18:45:17.000000000 +-0200
@@ -733,13 +732,16 @@
 	EVP_CIPHER_CTX cctx;
 	EVP_CIPHER_CTX_init(&cctx);
 	if (saltlen)
 		{
 		char psbuf[PEM_BUFSIZE];
 		unsigned char keybuf[20];
-		int enctmplen, inlen;
+		size_t enctmplen;
+		int inlen;
+		size_t inkeylen;
+
 		if (cb)
 			inlen=cb(psbuf,PEM_BUFSIZE,0,u);
 		else
 			inlen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
 		if (inlen <= 0)
 			{
@@ -756,30 +758,35 @@
 			    (unsigned char *)psbuf, inlen))
 			return NULL;
 		p += saltlen;
 		/* Copy BLOBHEADER across, decrypt rest */
 		memcpy(enctmp, p, 8);
 		p += 8;
-		inlen = keylen - 8;
+		if (keylen < 8)
+			{
+			PEMerr(PEM_F_DO_PVK_BODY,PEM_R_BAD_KEYLENGTH);
+			return NULL;
+			}
+		inkeylen = keylen - 8;
 		q = enctmp + 8;
 		if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
 			goto err;
-		if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
+		if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inkeylen))
 			goto err;
 		if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen))
 			goto err;
 		magic = read_ledword((const unsigned char **)&q);
 		if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC)
 			{
 			q = enctmp + 8;
 			memset(keybuf + 5, 0, 11);
 			if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf,
 								NULL))
 				goto err;
 			OPENSSL_cleanse(keybuf, 20);
-			if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen))
+			if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inkeylen))
 				goto err;
 			if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen,
 								&enctmplen))
 				goto err;
 			magic = read_ledword((const unsigned char **)&q);
 			if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC)