BUG/MINOR: base64: base64urldec() ignores padding in output size check

Without this fix, the decode function would proceed even when the output
buffer is not large enough, because the padding was not considered. For
example, it would not fail with the input length of 23 and the output
buffer size of 15, even the actual decoded output size is 17.

This patch should be backported to all stable branches that have a
base64urldec() function available.

diff --git a/src/base64.c b/src/base64.c
index a01f0f6e8eb54820da9e88b1143e2d01e6f3d3d2..0601bf673e1984e497492c251346f6153d088ee0 100644 (file)
--- a/src/base64.c
+++ b/src/base64.c
@@ -194,9 +194,6 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen)
        signed char b;
        int convlen = 0, i = 0, pad = 0, padlen = 0;
 
-       if (olen < ((ilen / 4 * 3)))
-               return -2;
-
        switch (ilen % 4) {
                case 0:
                        break;
@@ -210,6 +207,9 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen)
                        return -1;
        }
 
+       if (olen < (((ilen + pad) / 4 * 3) - pad))
+               return -2;
+
        while (ilen + pad) {
                if (ilen) {
                        /* if (*p < UB64CMIN || *p > B64CMAX) */