diff options
author | Dragan Dosen <ddosen@haproxy.com> | 2021-08-25 11:57:01 +0200 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2021-08-25 16:14:14 +0200 |
commit | 61aa4428c1a0a7b747914da0f7b47bae59f4f755 (patch) | |
tree | d456df8ae8d3acd825de08c428107b794f39977e | |
parent | 14c3c5c1216cc8cb7b421135dc44d658a748bc11 (diff) | |
download | haproxy-61aa4428c1a0a7b747914da0f7b47bae59f4f755.tar.gz |
BUG/MINOR: base64: base64urldec() ignores padding in output size check
Without this fix, the decode function would proceed even when the output
buffer is not large enough, because the padding was not considered. For
example, it would not fail with the input length of 23 and the output
buffer size of 15, even the actual decoded output size is 17.
This patch should be backported to all stable branches that have a
base64urldec() function available.
-rw-r--r-- | src/base64.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/base64.c b/src/base64.c index a01f0f6e8..0601bf673 100644 --- a/src/base64.c +++ b/src/base64.c @@ -194,9 +194,6 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen) signed char b; int convlen = 0, i = 0, pad = 0, padlen = 0; - if (olen < ((ilen / 4 * 3))) - return -2; - switch (ilen % 4) { case 0: break; @@ -210,6 +207,9 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen) return -1; } + if (olen < (((ilen + pad) / 4 * 3) - pad)) + return -2; + while (ilen + pad) { if (ilen) { /* if (*p < UB64CMIN || *p > B64CMAX) */ |