lib/base64: validate before writing in decode tail path

Patch series "lib/base64: decode fixes", v2.

Two small fixes for lib/base64.c:

1. base64_decode() writes a decoded byte to the output buffer before
   validating the input in the trailing-bytes path. Move the validity
   checks before any writes so dst is untouched on invalid input.

2. The @padding kernel-doc for base64_decode() was copy-pasted from
   base64_encode() and describes the wrong direction.

This patch (of 2):

The trailing-bytes path in base64_decode() writes a decoded byte to the
output buffer before checking whether the input characters are valid.  If
the input is malformed, garbage is written to dst before the function
returns -1.

Move the validity checks before any writes so the output buffer is left
untouched on invalid input.

Link: https://lore.kernel.org/20260324223210.47676-1-objecting@objecting.org
Link: https://lore.kernel.org/20260324223210.47676-2-objecting@objecting.org
Fixes: 9c7d3cf94d33 ("lib/base64: rework encode/decode for speed and stricter validation")
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/lib/base64.c b/lib/base64.c
index 41961a444028b6fd81fe2128fd891626a333ccd2..20dacee25f65080b6d671d10d9cc6038f2842c87 100644 (file)
--- a/lib/base64.c
+++ b/lib/base64.c
@@ -168,15 +168,16 @@ int base64_decode(const char *src, int srclen, u8 *dst, bool padding, enum base6
                return -1;
 
        val = (base64_rev_tables[s[0]] << 12) | (base64_rev_tables[s[1]] << 6);
-       *bp++ = val >> 10;
 
        if (srclen == 2) {
                if (val & 0x800003ff)
                        return -1;
+               *bp++ = val >> 10;
        } else {
                val |= base64_rev_tables[s[2]];
                if (val & 0x80000003)
                        return -1;
+               *bp++ = val >> 10;
                *bp++ = val >> 2;
        }
        return bp - dst;