Deal with the unlikely event that EVP_MD_CTX_size() returns an error.
(Coverity ID 140).

ssl/d1_pkt.c

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 9e38cb5..75c2b63 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -428,6 +428,12 @@
 	if (!clear)
 		{
 		mac_size=EVP_MD_CTX_size(s->read_hash);
+		if (mac_size <= 0)
+			{
+			al=SSL_AD_INTERNAL_ERROR;
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_MAC_LENGTH);
+			goto f_err;
+			}
 
 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
 			{

ssl/ssl.h

diff --git a/ssl/ssl.h b/ssl/ssl.h
index 64173af..893eb6e 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1996,6 +1996,7 @@
 #define SSL_R_BAD_HELLO_REQUEST				 105
 #define SSL_R_BAD_LENGTH				 271
 #define SSL_R_BAD_MAC_DECODE				 113
+#define SSL_R_BAD_MAC_LENGTH				 333
 #define SSL_R_BAD_MESSAGE_TYPE				 114
 #define SSL_R_BAD_PACKET_LENGTH				 115
 #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER		 116

ssl/ssl_err.c

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 7879a31..c7b36b5 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -290,6 +290,7 @@
 {ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     ,"bad hello request"},
 {ERR_REASON(SSL_R_BAD_LENGTH)            ,"bad length"},
 {ERR_REASON(SSL_R_BAD_MAC_DECODE)        ,"bad mac decode"},
+{ERR_REASON(SSL_R_BAD_MAC_LENGTH)        ,"bad mac length"},
 {ERR_REASON(SSL_R_BAD_MESSAGE_TYPE)      ,"bad message type"},
 {ERR_REASON(SSL_R_BAD_PACKET_LENGTH)     ,"bad packet length"},
 {ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER),"bad protocol version number"},