diff -Naur a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
--- a/crypto/cms/cms_pwri.c 2025-10-20 14:39:00.911711997 +0800
+++ b/crypto/cms/cms_pwri.c 2025-10-20 14:44:15.013826915 +0800
@@ -228,7 +228,7 @@
/* Check byte failure */
goto err;
}
- if (inlen < (size_t)(tmp[0] - 4)) {
+ if (inlen < 4 + (size_t)tmp[0]) {
/* Invalid length value */
goto err;
}