From d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 28 Mar 2024 14:00:02 +0100 Subject: [PATCH] util/base64: fix buffer overflow Ticket: 6902 In case the caller of DecodeBase64 does not supply a big enough output buffer. (cherry picked from commit fd47e67dc65f9111895c88fb406c938b1f857325) --- src/util-base64.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/util-base64.c b/src/util-base64.c index 13a8e1eabb..4b0f6b1992 100644 --- a/src/util-base64.c +++ b/src/util-base64.c @@ -155,6 +155,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, ecode = BASE64_ECODE_BUF; break; } + if (dest_size - *decoded_bytes < ASCII_BLOCK) + return BASE64_ECODE_BUF; /* Decode base-64 block into ascii block and move pointer */ DecodeBase64Block(dptr, b64); @@ -182,7 +184,7 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, /* if the destination size is not at least 3 Bytes long, it'll give a dynamic * buffer overflow while decoding, so, return and let the caller take care of the * remaining bytes to be decoded which should always be < 4 at this stage */ - if (dest_size - *decoded_bytes < 3) + if (dest_size - *decoded_bytes < ASCII_BLOCK) return BASE64_ECODE_BUF; *decoded_bytes += numDecoded_blk; DecodeBase64Block(dptr, b64); @@ -192,6 +194,8 @@ Base64Ecode DecodeBase64(uint8_t *dest, uint32_t dest_size, const uint8_t *src, /* Finish remaining b64 bytes by padding */ if (valid && bbidx > 0 && (mode != BASE64_MODE_RFC2045)) { /* Decode remaining */ + if (dest_size - *decoded_bytes < ASCII_BLOCK) + return BASE64_ECODE_BUF; *decoded_bytes += ASCII_BLOCK - (B64_BLOCK - bbidx); DecodeBase64Block(dptr, b64); } -- 2.47.2