diff -up openssl-1.0.1e/crypto/evp/e_aes.c.truncated openssl-1.0.1e/crypto/evp/e_aes.c

--- openssl-1.0.1e/crypto/evp/e_aes.c.truncated	2016-11-09 15:31:47.000000000 +0100

+++ openssl-1.0.1e/crypto/evp/e_aes.c	2017-01-30 13:29:46.700570930 +0100

@@ -796,11 +796,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *

 		gctx->tls_aad_len = arg;

 			{

 			unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];

+			if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)

+				return 0;

 			/* Correct length for explicit IV */

 			len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;

 			/* If decrypting correct for tag too */

 			if (!c->encrypt)

+				{

+				if (len < EVP_GCM_TLS_TAG_LEN)

+					return 0;

 				len -= EVP_GCM_TLS_TAG_LEN;

+				}

                         c->buf[arg-2] = len>>8;

                         c->buf[arg-1] = len & 0xff;

 			}

diff -up openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c.truncated openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c

--- openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c.truncated	2013-02-11 16:26:04.000000000 +0100

+++ openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c	2017-01-30 10:33:12.954714810 +0100

@@ -257,6 +257,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_

 		if (!ctx->encrypt)

 			{

+			if (len < MD5_DIGEST_LENGTH)

+				return -1;

 			len -= MD5_DIGEST_LENGTH;

 			p[arg-2] = len>>8;

 			p[arg-1] = len;

diff -up openssl-1.0.1e/ssl/t1_enc.c.truncated openssl-1.0.1e/ssl/t1_enc.c

--- openssl-1.0.1e/ssl/t1_enc.c.truncated	2017-01-09 16:42:47.000000000 +0100

+++ openssl-1.0.1e/ssl/t1_enc.c	2017-01-30 10:37:32.836053160 +0100

@@ -805,6 +805,8 @@ int tls1_enc(SSL *s, int send)

 			buf[11]=rec->length>>8;

 			buf[12]=rec->length&0xff;

 			pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);

+			if (pad <= 0)

+				return -1;

 			if (send)

 				{

 				l+=pad;