From: Daniel Stenberg Date: Tue, 14 Jul 2026 06:52:21 +0000 (+0200) Subject: mime.c: avoid integer overflow in base64 size calculation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc440a89d47aa8f3a5d02b01985fd7f6fb7e7e0a;p=thirdparty%2Fcurl.git mime.c: avoid integer overflow in base64 size calculation Reported-by: xmoezzz on github Fixes #22320 Closes #22322 --- diff --git a/lib/mime.c b/lib/mime.c index 11eb66207d..638831d9c8 100644 --- a/lib/mime.c +++ b/lib/mime.c @@ -419,6 +419,11 @@ static size_t encoder_base64_read(char *buffer, size_t size, bool ateof, return cursize; } +/* The maximum input size that does not cause an overflow. */ +#define BASE64_MAX_INPUT_SIZE \ + (((CURL_OFF_T_MAX / (MAX_ENCODED_LINE_LENGTH + 2)) * \ + MAX_ENCODED_LINE_LENGTH / 4) * 3 - 3) + static curl_off_t encoder_base64_size(curl_mimepart *part) { curl_off_t size = part->datasize; @@ -426,6 +431,10 @@ static curl_off_t encoder_base64_size(curl_mimepart *part) if(size <= 0) return size; /* Unknown size or no data. */ + /* Prevent integer overflows */ + if(size > BASE64_MAX_INPUT_SIZE) + return -1; + /* Compute base64 character count. */ size = 4 * (1 + ((size - 1) / 3));