From bec2c1e52ffeb3bb9ecca70aee23e9538586b703 Mon Sep 17 00:00:00 2001
From: Nick Mills-Barrett <nick@beeper.com>
Date: Thu, 12 Dec 2024 20:21:17 +0000
Subject: [PATCH] crypto/attachment: Check dst bounds on encrypted read

---
 crypto/attachment/attachments.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/attachment/attachments.go b/crypto/attachment/attachments.go
index cfa1c3e5..1f206a9b 100644
--- a/crypto/attachment/attachments.go
+++ b/crypto/attachment/attachments.go
@@ -198,6 +198,9 @@ func (r *encryptingReader) Seek(offset int64, whence int) (int64, error) {
 }
 
 func (r *encryptingReader) Read(dst []byte) (n int, err error) {
+	if len(dst) < n {
+		return 0, io.ErrUnexpectedEOF
+	}
 	if r.closed {
 		return 0, ReaderClosed
 	} else if r.isDecrypting && r.file.decoded == nil {