fix calls to AesGcmDecrypt and AesCcmDecrypt

src/internal.c

@@ -4295,14 +4295,18 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
 
         #ifdef BUILD_AESGCM
             case cyassl_aes_gcm:
-            {
+                if (AEAD_EXP_IV_SZ + ssl->specs.aead_mac_size > sz) {
+                    return INCOMPLETE_DATA;
+                }
+                else {
                     byte additional[AES_BLOCK_SIZE];
                     byte nonce[AEAD_NONCE_SZ];
 
                     XMEMSET(additional, 0, AES_BLOCK_SIZE);
 
                     /* sequence number field is 64-bits, we only use 32-bits */
-                c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
+                    c32toa(GetSEQIncrement(ssl, 1),
+                                                  additional + AEAD_SEQ_OFFSET);
 
                     additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
                     additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
@@ -4331,14 +4335,18 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
 
         #ifdef HAVE_AESCCM
             case cyassl_aes_ccm:
-            {
+                if (AEAD_EXP_IV_SZ + ssl->specs.aead_mac_size > sz) {
+                    return INCOMPLETE_DATA;
+                }
+                else {
                     byte additional[AES_BLOCK_SIZE];
                     byte nonce[AEAD_NONCE_SZ];
 
                     XMEMSET(additional, 0, AES_BLOCK_SIZE);
 
                     /* sequence number field is 64-bits, we only use 32-bits */
-                c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
+                    c32toa(GetSEQIncrement(ssl, 1),
+                                                  additional + AEAD_SEQ_OFFSET);
 
                     #ifdef CYASSL_DTLS
                         if (ssl->options.dtls)