From ae8b7a0f1a5cf569f52f35fc1f113d0c4f354f6e Mon Sep 17 00:00:00 2001 From: Nikias Bassen Date: Wed, 14 Dec 2016 02:32:47 +0100 Subject: base64: Prevent use of strlen() in base64decode when input buffer size is known --- src/base64.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/base64.c b/src/base64.c index 1595bd0..7870a79 100644 --- a/src/base64.c +++ b/src/base64.c @@ -105,22 +105,23 @@ static int base64decode_block(unsigned char *target, const char *data, size_t da unsigned char *base64decode(const char *buf, size_t *size) { - if (!buf) return NULL; - size_t len = strlen(buf); + if (!buf || !size) return NULL; + size_t len = (*size > 0) ? *size : strlen(buf); if (len <= 0) return NULL; unsigned char *outbuf = (unsigned char*)malloc((len/4)*3+3); const char *ptr = buf; int p = 0; + size_t l = 0; do { ptr += strspn(ptr, "\r\n\t "); - if (*ptr == '\0') { + if (*ptr == '\0' || ptr >= buf+len) { break; } - len = strcspn(ptr, "\r\n\t "); - if (len > 3) { - p+=base64decode_block(outbuf+p, ptr, len); - ptr += len; + l = strcspn(ptr, "\r\n\t "); + if (l > 3 && ptr+l <= buf+len) { + p+=base64decode_block(outbuf+p, ptr, l); + ptr += l; } else { break; } -- cgit v1.1-32-gdbae