[Rpm-maint] [PATCH] Fix array bounds check of decoding[] in base64_decode_value.
Jonathan Wakely
jwakely at redhat.com
Wed May 25 13:10:41 UTC 2016
On 25/05/16 14:32 +0200, Mark Wielaard wrote:
>This issue was reported against the libb64 public domain code from which
>rpmio/base64.c was derived. https://sourceforge.net/p/libb64/bugs/2/
>The char signedness issue was already solved differently in our code,
>but the array bounds check was missing in rpmio/base64.c.
N.B. the >= change was just merged here:
https://github.com/rpm-software-management/rpm/pull/68/files
The value_in < 43 check isn't strictly needed for RPM, because the
code was changed to use unsigned char (unlike upstream libb64 which
uses char), and so if value_in is less than 43 it will wrap to a
positive value greater than 212, which will fail the
sizeof(decoding)/sizeof(int) check.
>Fixed suggested by Jakub Wilk and Jonathan Wakely.
>
>Signed-off-by: Mark Wielaard <mjw at redhat.com>
>---
> rpmio/base64.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/rpmio/base64.c b/rpmio/base64.c
>index 60e67d4..a3767ca 100644
>--- a/rpmio/base64.c
>+++ b/rpmio/base64.c
>@@ -103,8 +103,9 @@ char *rpmBase64Encode(const void *data, size_t len, int linelen)
> static int base64_decode_value(unsigned char value_in)
> {
> static const int decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
>+ if (value_in < 43) return -1;
> value_in -= 43;
>- if (value_in > sizeof(decoding)/sizeof(int))
>+ if (value_in >= sizeof(decoding)/sizeof(int))
> return -1;
> return decoding[value_in];
> }
>--
>2.5.5
>
More information about the Rpm-maint
mailing list