From: Shivani Bhardwaj <shivani@oisf.net>
Date: Wed, 15 May 2024 09:45:47 +0000 (+0530)
Subject: base64: re-add the check for destination space
X-Git-Tag: suricata-8.0.0-beta1~1313
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12d027f6a22907d3f4885336d97732b0319d52a3;p=thirdparty%2Fsuricata.git

base64: re-add the check for destination space

Cover all the calls to DecodeBase64Block with the check for enough
space. Found by the recently introduced fuzz target.

Bug 7028

Fixes: c0bc43c39318 ("util/base64: use decoder fns per RFC")
---

diff --git a/src/util-base64.c b/src/util-base64.c
index 5b58144ad4..ad42c9a703 100644
--- a/src/util-base64.c
+++ b/src/util-base64.c
@@ -139,10 +139,8 @@ static inline Base64Ecode DecodeBase64RFC2045(uint8_t *dest, uint32_t dest_size,
         if (bbidx == B64_BLOCK) {
             /* For every 4 bytes, add 3 bytes but deduct the '=' padded blocks */
             uint32_t numDecoded_blk = ASCII_BLOCK - (padding < B64_BLOCK ? padding : ASCII_BLOCK);
-            if (dest_size < *decoded_bytes + numDecoded_blk) {
-                SCLogDebug("Destination buffer full");
+            if (dest_size - *decoded_bytes < ASCII_BLOCK)
                 return BASE64_ECODE_BUF;
-            }
             /* Decode base-64 block into ascii block and move pointer */
             DecodeBase64Block(dptr, b64);
             dptr += numDecoded_blk;
@@ -212,10 +210,8 @@ static inline Base64Ecode DecodeBase64RFC4648(uint8_t *dest, uint32_t dest_size,
         if (bbidx == B64_BLOCK) {
             /* For every 4 bytes, add 3 bytes but deduct the '=' padded blocks */
             uint32_t numDecoded_blk = ASCII_BLOCK - (padding < B64_BLOCK ? padding : ASCII_BLOCK);
-            if (dest_size < *decoded_bytes + numDecoded_blk) {
-                SCLogDebug("Destination buffer full");
+            if (dest_size - *decoded_bytes < ASCII_BLOCK)
                 return BASE64_ECODE_BUF;
-            }
 
             /* Decode base-64 block into ascii block and move pointer */
             DecodeBase64Block(dptr, b64);
@@ -249,10 +245,8 @@ static inline Base64Ecode DecodeBase64RFC4648(uint8_t *dest, uint32_t dest_size,
          * */
         padding = bbidx > 1 ? B64_BLOCK - bbidx : 2;
         uint32_t numDecoded_blk = ASCII_BLOCK - padding;
-        if (dest_size < *decoded_bytes + numDecoded_blk) {
-            SCLogDebug("Destination buffer full");
+        if (dest_size - *decoded_bytes < ASCII_BLOCK)
             return BASE64_ECODE_BUF;
-        }
         /* Decode base-64 block into ascii block and move pointer */
         DecodeBase64Block(dptr, b64);
         *decoded_bytes += numDecoded_blk;