From b51eedad93e53b6e82f2a052de41fe1e16a65a67 Mon Sep 17 00:00:00 2001
From: Loganaden Velvindron <logan@cyberstorm.mu>
Date: Sun, 31 May 2026 20:19:26 +0400
Subject: [PATCH] reject trailing bytes after decoding

---
 src/wolfcose.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wolfcose.c b/src/wolfcose.c
index 98fc3f8..e8fe491 100644
--- a/src/wolfcose.c
+++ b/src/wolfcose.c
@@ -3567,6 +3567,10 @@ int wc_CoseSign1_Verify(WOLFCOSE_KEY* key,
         ret = wc_CBOR_DecodeBstr(&ctx, &sigData, &sigDataLen);
     }
 
+    if ((ret == WOLFCOSE_SUCCESS) && (ctx.idx != ctx.bufSz)) {
+        ret = WOLFCOSE_E_CBOR_MALFORMED;
+    }
+
     if (ret == WOLFCOSE_SUCCESS) {
         alg = hdr->alg;
     }