From ef5c5f8ecb1f26ade5dd02cab7405372dde6705e Mon Sep 17 00:00:00 2001
From: Yosuke Shimizu <yosuke@wolfssl.com>
Date: Mon, 8 Jun 2026 10:11:42 +0900
Subject: [PATCH] Fix the error handling on wc_PKCS7_DecodeAuthEnvelopedData

---
 wolfcrypt/src/pkcs7.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index a4091890fd8..e7474d0c697 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -15319,8 +15319,12 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in,
                     encryptedContent, encryptedContentSz, encryptedContent,
                     pkcs7->devId, pkcs7->heap);
             if (ret != 0) {
-                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
-                return ret;
+                /* Fall through to the shared error handler below, which
+                 * ForceZeros and frees encryptedContent, nulls
+                 * stream->bufferPt/key, and resets the stream. Returning
+                 * here would leave a dangling stream->bufferPt and risk a
+                 * use-after-free / double-free on streaming re-entry. */
+                break;
             }
 
             if (encodedAttribs != NULL) {