From: Jonas Rebmann <jre@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Jonas Rebmann <jre@pengutronix.de>
Subject: [PATCH 1/2] lib: base64: Fix out-of-bounds potential by respecting dst_len
Date: Mon, 01 Dec 2025 15:09:18 +0100 [thread overview]
Message-ID: <20251201-base64-bounds-v1-1-3ae2b2e8b7cb@pengutronix.de> (raw)
In-Reply-To: <20251201-base64-bounds-v1-0-3ae2b2e8b7cb@pengutronix.de>
__decode_base64 generally writes the input in 3 bytes increments,
corresponding to 4 bytes increments in the base64 input buffer. This
means that in order to respect dst_len as the size of the output buffer,
the case of exceeding dst_len within a loop iteration must be
considered.
In such a case, refrain from writing the last one or two bytes if that
write would be past dst_len.
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
lib/base64.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/base64.c b/lib/base64.c
index d5ab217528..3e29f0a56c 100644
--- a/lib/base64.c
+++ b/lib/base64.c
@@ -163,19 +163,19 @@ static int __decode_base64(char *p_dst, int dst_len, const char *src, bool url)
*/
if (count > 1)
*dst++ = six_bit[0] << 2 | six_bit[1] >> 4;
- if (count > 2)
+ if (count > 2 && dst_len > 1)
*dst++ = six_bit[1] << 4 | six_bit[2] >> 2;
- if (count > 3)
+ if (count > 3 && dst_len > 2)
*dst++ = six_bit[2] << 6 | six_bit[3];
+ /* last character was "=" */
+ if (count != 0)
+ length += min(count - 1, dst_len);
/*
* Note that if we decode "AA==" and ate first '=',
* we just decoded one char (count == 2) and now we'll
* do the loop once more to decode second '='.
*/
dst_len -= count-1;
- /* last character was "=" */
- if (count != 0)
- length += count - 1;
}
ret:
p_dst = dst;
--
2.51.2.535.g419c72cb8a
next prev parent reply other threads:[~2025-12-01 14:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-01 14:09 [PATCH 0/2] Fix out-of-bounds potential in decode_base64 and add regression tests Jonas Rebmann
2025-12-01 14:09 ` Jonas Rebmann [this message]
2025-12-01 14:09 ` [PATCH 2/2] test: self: add base64 selftests Jonas Rebmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251201-base64-bounds-v1-1-3ae2b2e8b7cb@pengutronix.de \
--to=jre@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox