diff -up openssl-1.0.1e/crypto/evp/e_aes.c.truncated openssl-1.0.1e/crypto/evp/e_aes.c
--- openssl-1.0.1e/crypto/evp/e_aes.c.truncated	2016-11-09 15:31:47.000000000 +0100
+++ openssl-1.0.1e/crypto/evp/e_aes.c	2017-01-30 13:29:46.700570930 +0100
@@ -796,11 +796,17 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
 		gctx->tls_aad_len = arg;
 			{
 			unsigned int len=c->buf[arg-2]<<8|c->buf[arg-1];
+			if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
+				return 0;
 			/* Correct length for explicit IV */
 			len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
 			/* If decrypting correct for tag too */
 			if (!c->encrypt)
+				{
+				if (len < EVP_GCM_TLS_TAG_LEN)
+					return 0;
 				len -= EVP_GCM_TLS_TAG_LEN;
+				}
                         c->buf[arg-2] = len>>8;
                         c->buf[arg-1] = len & 0xff;
 			}
diff -up openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c.truncated openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c
--- openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c.truncated	2013-02-11 16:26:04.000000000 +0100
+++ openssl-1.0.1e/crypto/evp/e_rc4_hmac_md5.c	2017-01-30 10:33:12.954714810 +0100
@@ -257,6 +257,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_
 
 		if (!ctx->encrypt)
 			{
+			if (len < MD5_DIGEST_LENGTH)
+				return -1;
 			len -= MD5_DIGEST_LENGTH;
 			p[arg-2] = len>>8;
 			p[arg-1] = len;
diff -up openssl-1.0.1e/ssl/t1_enc.c.truncated openssl-1.0.1e/ssl/t1_enc.c
--- openssl-1.0.1e/ssl/t1_enc.c.truncated	2017-01-09 16:42:47.000000000 +0100
+++ openssl-1.0.1e/ssl/t1_enc.c	2017-01-30 10:37:32.836053160 +0100
@@ -805,6 +805,8 @@ int tls1_enc(SSL *s, int send)
 			buf[11]=rec->length>>8;
 			buf[12]=rec->length&0xff;
 			pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
+			if (pad <= 0)
+				return -1;
 			if (send)
 				{
 				l+=pad;