1 |
From ae8b7a0f1a5cf569f52f35fc1f113d0c4f354f6e Mon Sep 17 00:00:00 2001 |
2 |
From: Nikias Bassen <nikias@gmx.li> |
3 |
Date: Wed, 14 Dec 2016 02:32:47 +0100 |
4 |
Subject: [PATCH] base64: Prevent use of strlen() in base64decode when input |
5 |
buffer size is known |
6 |
|
7 |
--- |
8 |
src/base64.c | 15 ++++++++------- |
9 |
1 file changed, 8 insertions(+), 7 deletions(-) |
10 |
|
11 |
diff --git a/src/base64.c b/src/base64.c |
12 |
index 1595bd0..7870a79 100644 |
13 |
--- a/src/base64.c |
14 |
+++ b/src/base64.c |
15 |
@@ -105,22 +105,23 @@ static int base64decode_block(unsigned char *target, const char *data, size_t da |
16 |
|
17 |
unsigned char *base64decode(const char *buf, size_t *size) |
18 |
{ |
19 |
- if (!buf) return NULL; |
20 |
- size_t len = strlen(buf); |
21 |
+ if (!buf || !size) return NULL; |
22 |
+ size_t len = (*size > 0) ? *size : strlen(buf); |
23 |
if (len <= 0) return NULL; |
24 |
unsigned char *outbuf = (unsigned char*)malloc((len/4)*3+3); |
25 |
const char *ptr = buf; |
26 |
int p = 0; |
27 |
+ size_t l = 0; |
28 |
|
29 |
do { |
30 |
ptr += strspn(ptr, "\r\n\t "); |
31 |
- if (*ptr == '\0') { |
32 |
+ if (*ptr == '\0' || ptr >= buf+len) { |
33 |
break; |
34 |
} |
35 |
- len = strcspn(ptr, "\r\n\t "); |
36 |
- if (len > 3) { |
37 |
- p+=base64decode_block(outbuf+p, ptr, len); |
38 |
- ptr += len; |
39 |
+ l = strcspn(ptr, "\r\n\t "); |
40 |
+ if (l > 3 && ptr+l <= buf+len) { |
41 |
+ p+=base64decode_block(outbuf+p, ptr, l); |
42 |
+ ptr += l; |
43 |
} else { |
44 |
break; |
45 |
} |