From 61aa4428c1a0a7b747914da0f7b47bae59f4f755 Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Wed, 25 Aug 2021 11:57:01 +0200 Subject: [PATCH] BUG/MINOR: base64: base64urldec() ignores padding in output size check Without this fix, the decode function would proceed even when the output buffer is not large enough, because the padding was not considered. For example, it would not fail with the input length of 23 and the output buffer size of 15, even the actual decoded output size is 17. This patch should be backported to all stable branches that have a base64urldec() function available. --- src/base64.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/base64.c b/src/base64.c index a01f0f6..0601bf6 100644 --- a/src/base64.c +++ b/src/base64.c @@ -194,9 +194,6 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen) signed char b; int convlen = 0, i = 0, pad = 0, padlen = 0; - if (olen < ((ilen / 4 * 3))) - return -2; - switch (ilen % 4) { case 0: break; @@ -210,6 +207,9 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen) return -1; } + if (olen < (((ilen + pad) / 4 * 3) - pad)) + return -2; + while (ilen + pad) { if (ilen) { /* if (*p < UB64CMIN || *p > B64CMAX) */ -- 1.7.10.4