From 52e9112b563e6ee472a31136ec9dc69876cf6e02 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Thu, 21 Jan 2021 14:06:11 +0300
Subject: [PATCH] No panic during too short MGM message

---
 gogost.go   | 2 +-
 mgm/mode.go | 4 +++-
 news.texi   | 4 ++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/gogost.go b/gogost.go
index e148c68..ed45ddf 100644
--- a/gogost.go
+++ b/gogost.go
@@ -1,4 +1,4 @@
 // Pure Go GOST cryptographic functions library.
 package gogost
 
-const Version = "5.1.1"
+const Version = "5.2.0"
diff --git a/mgm/mode.go b/mgm/mode.go
index 065bff5..c281567 100644
--- a/mgm/mode.go
+++ b/mgm/mode.go
@@ -234,7 +234,9 @@ func (mgm *MGM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 func (mgm *MGM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
 	mgm.validateNonce(nonce)
 	mgm.validateSizes(ciphertext, additionalData)
-	if uint64(len(ciphertext)-mgm.tagSize) > mgm.maxSize {
+	if len(ciphertext) < mgm.TagSize {
+		return nil, errors.New("ciphertext is too short")
+	}
 	if uint64(len(ciphertext)-mgm.TagSize) > mgm.MaxSize {
 		panic("ciphertext is too big")
 	}
diff --git a/news.texi b/news.texi
index 33ea649..50b3e3a 100644
--- a/news.texi
+++ b/news.texi
@@ -3,6 +3,10 @@
 
 @table @strong
 
+@anchor{Release 5.2.0}
+@item 5.2.0
+    MGM does not panic when short (tagless) message is verified.
+
 @anchor{Release 5.1.1}
 @item 5.1.1
     Tarball uses vendoring, instead of @env{GOPATH} overriding.
-- 
2.44.0