chunk: Correctly parse Base64 text where four = follow in a row
authorTobias Brunner <tobias@strongswan.org>
Thu, 4 May 2017 14:16:33 +0000 (16:16 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 23 May 2017 16:29:12 +0000 (18:29 +0200)
That's not correct Base64 but invalid data could trigger this. Since
outlen would get reduced four times, but is only ever increased three
times per iteration, this could result in an integer underflow and then
a potential buffer overflow.

src/libstrongswan/utils/chunk.c

index 0c50ab7..8f4b7ef 100644 (file)
@@ -643,7 +643,7 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf)
                outlen += 3;
                for (j = 0; j < 4; j++)
                {
-                       if (*pos == '=')
+                       if (*pos == '=' && outlen > 0)
                        {
                                outlen--;
                        }