From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 3 Feb 2026 09:32:02 +0000 (+0100)
Subject: dnsdist: Better handling of invalid Base64 content
X-Git-Tag: rec-5.5.0-alpha0~40^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9bd17fc54a0c12e136658704e8eb2724d90eeb7e;p=thirdparty%2Fpdns.git

dnsdist: Better handling of invalid Base64 content

The existing code would throw an exception instead of returning
an error for some invalid content, which was harder to diagnose.

Reported by Surya Narayan Kushwaha (aka Cavid), thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/pdns/dnsdistdist/dnsdist-crypto.cc b/pdns/dnsdistdist/dnsdist-crypto.cc
index c864ac8c2a..2c01a0e960 100644
--- a/pdns/dnsdistdist/dnsdist-crypto.cc
+++ b/pdns/dnsdistdist/dnsdist-crypto.cc
@@ -509,6 +509,9 @@ int B64Decode(const std::string& strInput, Container& strOutput)
 #endif
   } // while
   if (pad) {
+    if (pad > strOutput.size()) {
+      return -1; // padding-only (or otherwise invalid) Base64
+    }
     strOutput.resize(strOutput.size() - pad);
   }