[Rpm-maint] [PATCH] Fix array bounds check of decoding[] in base64_decode_value.

Mark Wielaard mjw at redhat.com
Wed May 25 12:32:26 UTC 2016


This issue was reported against the libb64 public domain code from which
rpmio/base64.c was derived. https://sourceforge.net/p/libb64/bugs/2/
The char signedness issue was already solved differently in our code,
but the array bounds check was missing in rpmio/base64.c.

Fixed suggested by Jakub Wilk and Jonathan Wakely.

Signed-off-by: Mark Wielaard <mjw at redhat.com>
---
 rpmio/base64.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rpmio/base64.c b/rpmio/base64.c
index 60e67d4..a3767ca 100644
--- a/rpmio/base64.c
+++ b/rpmio/base64.c
@@ -103,8 +103,9 @@ char *rpmBase64Encode(const void *data, size_t len, int linelen)
 static int base64_decode_value(unsigned char value_in)
 {
 	static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
+	if (value_in < 43) return -1;
 	value_in -= 43;
-	if (value_in > sizeof(decoding)/sizeof(int))
+	if (value_in >= sizeof(decoding)/sizeof(int))
 		return -1;
 	return decoding[value_in];
 }
-- 
2.5.5



More information about the Rpm-maint mailing list