From: Dragan Dosen <ddosen@haproxy.com>
Date: Wed, 25 Aug 2021 09:57:01 +0000 (+0200)
Subject: BUG/MINOR: base64: base64urldec() ignores padding in output size check
X-Git-Tag: v2.5-dev5~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=61aa4428c1a0a7b747914da0f7b47bae59f4f755;p=thirdparty%2Fhaproxy.git

BUG/MINOR: base64: base64urldec() ignores padding in output size check

Without this fix, the decode function would proceed even when the output
buffer is not large enough, because the padding was not considered. For
example, it would not fail with the input length of 23 and the output
buffer size of 15, even the actual decoded output size is 17.

This patch should be backported to all stable branches that have a
base64urldec() function available.
---

diff --git a/src/base64.c b/src/base64.c
index a01f0f6e8e..0601bf673e 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -194,9 +194,6 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen)
 	signed char b;
 	int convlen = 0, i = 0, pad = 0, padlen = 0;
 
-	if (olen < ((ilen / 4 * 3)))
-		return -2;
-
 	switch (ilen % 4) {
 		case 0:
 			break;
@@ -210,6 +207,9 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen)
 			return -1;
 	}
 
+	if (olen < (((ilen + pad) / 4 * 3) - pad))
+		return -2;
+
 	while (ilen + pad) {
 		if (ilen) {
 			/* if (*p < UB64CMIN || *p > B64CMAX) */