libutee: fix off-by-one errors in base64_dec()

There is a possible buffer overflow in base64_dec(). Since the output
buffer size is *blen, the last byte of the buffer is buf[*blen - 1] and
therefore the buffer must not be written to when the current index m is
such that (m >= *blen), not (m > *blen).

Reported-by: Naveen Thenkani <tnaveenmca@gmail.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/lib/libutee/base64.c b/lib/libutee/base64.c
index f0b9d8be..78611c13 100644
--- a/lib/libutee/base64.c
+++ b/lib/libutee/base64.c
@@ -84,7 +84,7 @@ bool base64_dec(const char *data, size_t size, void *buf, size_t *blen)
 		if (!get_idx(data[n], &idx))
 			continue;
 
-		if (m > *blen)
+		if (m >= *blen)
 			b = NULL;
 
 		switch (s) {
@@ -97,7 +97,7 @@ bool base64_dec(const char *data, size_t size, void *buf, size_t *blen)
 			if (b)
 				b[m] |= idx >> 4;
 			m++;
-			if (m > *blen)
+			if (m >= *blen)
 				b = NULL;
 			if (b)
 				b[m] = (idx & 0xf) << 4;
@@ -107,7 +107,7 @@ bool base64_dec(const char *data, size_t size, void *buf, size_t *blen)
 			if (b)
 				b[m] |= idx >> 2;
 			m++;
-			if (m > *blen)
+			if (m >= *blen)
 				b = NULL;
 			if (b)
 				b[m] = (idx & 0x3) << 6;