From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 4 May 2017 14:16:33 +0000 (+0200)
Subject: chunk: Correctly parse Base64 text where four = follow in a row
X-Git-Tag: 5.5.3~26^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aed77b096191f395e347c4aa00cbb7797c03d0f6;p=thirdparty%2Fstrongswan.git

chunk: Correctly parse Base64 text where four = follow in a row

That's not correct Base64 but invalid data could trigger this. Since
outlen would get reduced four times, but is only ever increased three
times per iteration, this could result in an integer underflow and then
a potential buffer overflow.
---

diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 0c50ab7884..8f4b7efffa 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -643,7 +643,7 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf)
 		outlen += 3;
 		for (j = 0; j < 4; j++)
 		{
-			if (*pos == '=')
+			if (*pos == '=' && outlen > 0)
 			{
 				outlen--;
 			}