Fix dec64table[] OOB read in b64decode()

Possible values for y at this point are 0..255. However, dec64table[] only has 128 entries and hence valid indexes are 0..127. The values of y greater than 127 trigger out of bounds read. As dec64table[] is in the data segment, the OOB access is not detected by tools as valgrind or ASAN. This adds a check to ensure y is less than or equal to 127, just like in other cases where dec64table[] is accessed. Note that removal of the y == 0 condition is not a problem, as dec64table[0] == 255, so the second part of the condition is true.
author: Tomas Hoger <thoger@redhat.com> 2018-03-07 11:30:18 +0100
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2018-03-12 22:16:55 +0100
commit: 889d293b45a5b0124aea16c41294860b3905a262 (patch)
tree: 0c52eeddc6f351248a62f71f0cb8d3dbfd12ed87
parent: 71bb51e08dc03f768d19f237fed415bc74246de3 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/src/base64.c b/src/src/base64.c
index dbbd6a40e..e63522ec4 100644
--- a/src/src/base64.c
+++ b/src/src/base64.c
@@ -173,7 +173,7 @@ while ((x = *code++) != 0)
 
   while (isspace(y = *code++)) ;
   /* debug_printf("b64d: '%c'\n", y); */
-  if (y == 0 || (y = dec64table[y]) == 255)
+  if (y > 127 || (y = dec64table[y]) == 255)
     return -1;
 
   *result++ = (x << 2) | (y >> 4);
author	Tomas Hoger <thoger@redhat.com>	2018-03-07 11:30:18 +0100
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2018-03-12 22:16:55 +0100
commit	889d293b45a5b0124aea16c41294860b3905a262 (patch)
tree	0c52eeddc6f351248a62f71f0cb8d3dbfd12ed87
parent	71bb51e08dc03f768d19f237fed415bc74246de3 (diff)