From: Shivani Bhardwaj <shivani@oisf.net>
Date: Wed, 24 Apr 2024 07:17:34 +0000 (+0530)
Subject: util/mime: check invalidity after final b64 block
X-Git-Tag: suricata-8.0.0-beta1~1419
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c131a4b3083eebf53023e9d7399c7e33db2fc4d;p=thirdparty%2Fsuricata.git

util/mime: check invalidity after final b64 block

Since there is code in place that skips over invalid base64 characters
and creates a new array out of the remainder vector, all test must be
made after that final array has been created and against the variable
that holds the actual length of the final array.
---

diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c
index f58a701b01..4b9cd23f34 100644
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@@ -1176,13 +1176,6 @@ static uint32_t ProcessBase64Remainder(
 
     SCLogDebug("len %u force %d", len, force);
 
-    /* should be impossible, but lets be defensive */
-    DEBUG_VALIDATE_BUG_ON(state->bvr_len > B64_BLOCK);
-    if (state->bvr_len > B64_BLOCK) {
-        state->bvr_len = 0;
-        return 0;
-    }
-
     /* Strip spaces in remainder */
     for (uint8_t i = 0; i < state->bvr_len; i++) {
         if (IsBase64Alphabet(state->bvremain[i])) {
@@ -1193,6 +1186,13 @@ static uint32_t ProcessBase64Remainder(
         }
     }
 
+    /* should be impossible, but lets be defensive */
+    DEBUG_VALIDATE_BUG_ON(cnt > B64_BLOCK);
+    if (cnt > B64_BLOCK) {
+        state->bvr_len = 0;
+        return 0;
+    }
+
     /* if we don't have 4 bytes see if we can fill it from `buf` */
     if (buf && len > 0 && cnt != B64_BLOCK) {
         for (uint32_t i = 0; i < len && cnt < B64_BLOCK; i++) {