]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
mime.c: avoid integer overflow in base64 size calculation
authorDaniel Stenberg <daniel@haxx.se>
Tue, 14 Jul 2026 06:52:21 +0000 (08:52 +0200)
committerDaniel Stenberg <daniel@haxx.se>
Wed, 15 Jul 2026 08:59:18 +0000 (10:59 +0200)
Reported-by: xmoezzz on github
Fixes #22320
Closes #22322

lib/mime.c

index 11eb66207de747a24d7ca5e8d4b69882377938ba..638831d9c88feabc9a8877a9e306f505721a25ce 100644 (file)
@@ -419,6 +419,11 @@ static size_t encoder_base64_read(char *buffer, size_t size, bool ateof,
   return cursize;
 }
 
+/* The maximum input size that does not cause an overflow. */
+#define BASE64_MAX_INPUT_SIZE                                           \
+  (((CURL_OFF_T_MAX / (MAX_ENCODED_LINE_LENGTH + 2)) *                  \
+    MAX_ENCODED_LINE_LENGTH / 4) * 3 - 3)
+
 static curl_off_t encoder_base64_size(curl_mimepart *part)
 {
   curl_off_t size = part->datasize;
@@ -426,6 +431,10 @@ static curl_off_t encoder_base64_size(curl_mimepart *part)
   if(size <= 0)
     return size;    /* Unknown size or no data. */
 
+  /* Prevent integer overflows */
+  if(size > BASE64_MAX_INPUT_SIZE)
+    return -1;
+
   /* Compute base64 character count. */
   size = 4 * (1 + ((size - 1) / 3));