util/base64: fix buffer overflow

Ticket: 6902

In case the caller of DecodeBase64 does not supply a big enough
output buffer.

(cherry picked from commit fd47e67dc65f9111895c88fb406c938b1f857325)

diff --git a/src/util-base64.c b/src/util-base64.c
index 13a8e1eabb23dc0e4b3761aea1c125ef7e9cfe13..4b0f6b19921ab28f4a9a7afff073a028396dbc6b 100644 (file)
--- a/src/util-base64.c
+++ b/src/util-base64.c
@@ -155,6 +155,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src,
                 ecode = BASE64_ECODE_BUF;
                 break;
             }
+            if (dest_size - *decoded_bytes < ASCII_BLOCK)
+                return BASE64_ECODE_BUF;
 
             /* Decode base-64 block into ascii block and move pointer */
             DecodeBase64Block(dptr, b64);
@@ -182,7 +184,7 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src,
         /* if the destination size is not at least 3 Bytes long, it'll give a dynamic
          * buffer overflow while decoding, so, return and let the caller take care of the
          * remaining bytes to be decoded which should always be < 4 at this stage */
-        if (dest_size - *decoded_bytes < 3)
+        if (dest_size - *decoded_bytes < ASCII_BLOCK)
             return BASE64_ECODE_BUF;
         *decoded_bytes += numDecoded_blk;
         DecodeBase64Block(dptr, b64);
@@ -192,6 +194,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src,
     /* Finish remaining b64 bytes by padding */
     if (valid && bbidx > 0 && (mode != BASE64_MODE_RFC2045)) {
         /* Decode remaining */
+        if (dest_size - *decoded_bytes < ASCII_BLOCK)
+            return BASE64_ECODE_BUF;
         *decoded_bytes += ASCII_BLOCK - (B64_BLOCK - bbidx);
         DecodeBase64Block(dptr, b64);
     }