--- crypto/openssl/crypto/cms/cms_pwri.c.orig
+++ crypto/openssl/crypto/cms/cms_pwri.c
@@ -228,7 +228,7 @@
         /* Check byte failure */
         goto err;
     }
-    if (inlen < (size_t)(tmp[0] - 4)) {
+    if (inlen < 4 + (size_t)tmp[0]) {
         /* Invalid length value */
         goto err;
     }
--- crypto/openssl/crypto/http/http_lib.c.orig
+++ crypto/openssl/crypto/http/http_lib.c
@@ -267,6 +267,7 @@
         /* strip leading '[' and trailing ']' from escaped IPv6 address */
         sl -= 2;
         strncpy(host, server + 1, sl);
+        host[sl] = '\0';
         server = host;
     }