diff options
author | Jerome Forissier <jerome.forissier@linaro.org> | 2019-03-15 17:54:04 +0100 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-03-18 11:45:05 +0100 |
commit | c1e1e2e5259c8d9e7365e315a73a08def84ac0ff (patch) | |
tree | 3a445b9491a3d4ba4d39595f5b7459f1218f832d /lib/libutee | |
parent | 7696ab7fe0b24e5f9981bb1487d0ee8d529ea305 (diff) |
libutee: fix off-by-one errors in base64_dec()
There is a possible buffer overflow in base64_dec(). Since the output
buffer size is *blen, the last byte of the buffer is buf[*blen - 1] and
therefore the buffer must not be written to when the current index m is
such that (m >= *blen), not (m > *blen).
Reported-by: Naveen Thenkani <tnaveenmca@gmail.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Diffstat (limited to 'lib/libutee')
-rw-r--r-- | lib/libutee/base64.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/libutee/base64.c b/lib/libutee/base64.c index f0b9d8be..78611c13 100644 --- a/lib/libutee/base64.c +++ b/lib/libutee/base64.c @@ -84,7 +84,7 @@ bool base64_dec(const char *data, size_t size, void *buf, size_t *blen) if (!get_idx(data[n], &idx)) continue; - if (m > *blen) + if (m >= *blen) b = NULL; switch (s) { @@ -97,7 +97,7 @@ bool base64_dec(const char *data, size_t size, void *buf, size_t *blen) if (b) b[m] |= idx >> 4; m++; - if (m > *blen) + if (m >= *blen) b = NULL; if (b) b[m] = (idx & 0xf) << 4; @@ -107,7 +107,7 @@ bool base64_dec(const char *data, size_t size, void *buf, size_t *blen) if (b) b[m] |= idx >> 2; m++; - if (m > *blen) + if (m >= *blen) b = NULL; if (b) b[m] = (idx & 0x3) << 6; |