Re: [PR] GH-49614: [C++] Fix silent truncation in base64_decode on invalid input [arrow]

via GitHub Sun, 12 Apr 2026 21:09:58 -0700


Copilot commented on code in PR #49660:
URL: https://github.com/apache/arrow/pull/49660#discussion_r3070831903



##########
cpp/src/arrow/util/CMakeLists.txt:
##########
@@ -49,6 +49,7 @@ add_arrow_test(utility-test
                SOURCES
                align_util_test.cc
                atfork_test.cc
+               base64_test.cc
                byte_size_test.cc

Review Comment:
   `base64_test.cc` was added to the CMake `utility-test` sources here, but the 
Meson build also enumerates `utility_test_srcs` (in 
`cpp/src/arrow/util/meson.build`) and currently doesn't include 
`base64_test.cc`. This means Meson-based test builds will miss the new base64 
coverage; consider updating the Meson test source list as well to keep 
build-system parity.



##########
cpp/src/arrow/util/base64_test.cc:
##########
@@ -0,0 +1,98 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "arrow/util/base64.h"
+#include "arrow/testing/gtest_util.h"
+
+namespace arrow {
+namespace util {
+
+TEST(Base64DecodeTest, ValidInputs) {
+  ASSERT_OK_AND_ASSIGN(auto empty, base64_decode(""));
+  EXPECT_EQ(empty, "");
+
+  ASSERT_OK_AND_ASSIGN(auto two_paddings, base64_decode("Zg=="));
+  EXPECT_EQ(two_paddings, "f");
+
+  ASSERT_OK_AND_ASSIGN(auto one_padding, base64_decode("Zm8="));
+  EXPECT_EQ(one_padding, "fo");
+
+  ASSERT_OK_AND_ASSIGN(auto no_padding, base64_decode("Zm9v"));
+  EXPECT_EQ(no_padding, "foo");
+
+  ASSERT_OK_AND_ASSIGN(auto multiblock, base64_decode("SGVsbG8gd29ybGQ="));
+  EXPECT_EQ(multiblock, "Hello world");
+}
+
+TEST(Base64DecodeTest, BinaryOutput) {
+  // 'A' maps to index 0 — same zero value used for padding slots
+  // verifies the 'A' bug is not present
+  ASSERT_OK_AND_ASSIGN(auto all_A, base64_decode("AAAA"));
+  EXPECT_EQ(all_A, std::string("\x00\x00\x00", 3));
+
+  // Arbitrary non-ASCII output bytes
+  ASSERT_OK_AND_ASSIGN(auto binary, base64_decode("AP8A"));
+  EXPECT_EQ(binary, std::string("\x00\xff\x00", 3));
+}
+
+TEST(Base64DecodeTest, InvalidLength) {
+  ASSERT_RAISES_WITH_MESSAGE(
+      Invalid, "Invalid: Invalid base64 input: length is not a multiple of 4",
+      base64_decode("abc"));
+}
+
+TEST(Base64DecodeTest, InvalidCharacters) {
+  ASSERT_RAISES_WITH_MESSAGE(
+      Invalid, "Invalid: Invalid base64 input: character is not valid base64 
character",
+      base64_decode("ab$="));
+
+  // Non-ASCII byte
+  std::string non_ascii = std::string("abc") + static_cast<char>(0xFF);
+  ASSERT_RAISES_WITH_MESSAGE(
+      Invalid, "Invalid: Invalid base64 input: character is not valid base64 
character",
+      base64_decode(non_ascii));
+
+  // Corruption mid-string across multiple blocks
+  ASSERT_RAISES_WITH_MESSAGE(
+      Invalid, "Invalid: Invalid base64 input: character is not valid base64 
character",
+      base64_decode("aGVs$G8gd29ybGQ="));
+}
+
+TEST(Base64DecodeTest, InvalidPadding) {
+  // Padding in wrong position within block
+  ASSERT_RAISES_WITH_MESSAGE(Invalid,
+                             "Invalid: Invalid base64 input: padding in wrong 
position",
+                             base64_decode("ab=c"));
+
+  // 3 padding characters — exceeds maximum of 2
+  ASSERT_RAISES_WITH_MESSAGE(Invalid,
+                             "Invalid: Invalid base64 input: too many padding 
characters",
+                             base64_decode("a==="));
+
+  // 4 padding characters
+  ASSERT_RAISES_WITH_MESSAGE(Invalid,
+                             "Invalid: Invalid base64 input: too many padding 
characters",
+                             base64_decode("===="));
+

Review Comment:
   The invalid-padding tests cover placement and count of '=' but don't cover 
the case where padding is present in the final block yet the unused bits are 
non-zero (which should be rejected if we're strictly validating padding). 
Adding cases like "Zn==" (should be invalid despite decoding to "f") and a 
1-padding example where the third sextet's low 2 bits are non-zero would 
prevent regressions once the decoder enforces these rules.
   ```suggestion
   
     // Two paddings with non-zero unused bits in the second sextet
     ASSERT_RAISES_WITH_MESSAGE(
         Invalid, "Invalid: Invalid base64 input: non-zero unused bits in 
padded block",
         base64_decode("Zn=="));
   
     // One padding with non-zero unused bits in the third sextet
     ASSERT_RAISES_WITH_MESSAGE(
         Invalid, "Invalid: Invalid base64 input: non-zero unused bits in 
padded block",
         base64_decode("Zm9="));
   ```



##########
cpp/src/arrow/vendored/base64.cpp:
##########
@@ -93,38 +89,65 @@ std::string base64_encode(std::string_view 
string_to_encode) {
   return base64_encode(bytes_to_encode, in_len);
 }
 
-std::string base64_decode(std::string_view encoded_string) {
+Result<std::string> base64_decode(std::string_view encoded_string) {
   size_t in_len = encoded_string.size();
   int i = 0;
-  int j = 0;
-  int in_ = 0;
+  std::string_view::size_type in_ = 0;
+  int padding_count = 0;
+  int block_padding = 0;
+  bool padding_started = false;
   unsigned char char_array_4[4], char_array_3[3];
   std::string ret;
 
-  while (in_len-- && ( encoded_string[in_] != '=') && 
is_base64(encoded_string[in_])) {
-    char_array_4[i++] = encoded_string[in_]; in_++;
-    if (i ==4) {
-      for (i = 0; i <4; i++)
-        char_array_4[i] = base64_chars.find(char_array_4[i]) & 0xff;
+  if (encoded_string.size() % 4 != 0) {
+    return Status::Invalid("Invalid base64 input: length is not a multiple of 
4");
+  }
 
-      char_array_3[0] = ( char_array_4[0] << 2       ) + ((char_array_4[1] & 
0x30) >> 4);
-      char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 
0x3c) >> 2);
-      char_array_3[2] = ((char_array_4[2] & 0x3) << 6) +   char_array_4[3];
+  while (in_len--) {
+    unsigned char c = encoded_string[in_];
 
-      for (i = 0; (i < 3); i++)
-        ret += char_array_3[i];
-      i = 0;
+    if (c == '=') {
+      padding_started = true;
+      padding_count++;
+
+      if (padding_count > 2) {
+        return Status::Invalid("Invalid base64 input: too many padding 
characters");
+      }
+
+      char_array_4[i++] = 0;
+    } else {
+      if (padding_started) {
+        return Status::Invalid("Invalid base64 input: padding in wrong 
position");
+      }
+
+      if (base64_chars.find(c) == std::string::npos) {
+        return Status::Invalid("Invalid base64 input: character is not valid 
base64 character");
+      }
+
+      char_array_4[i++] = c;
     }
-  }
 
-  if (i) {
-    for (j = 0; j < i; j++)
-      char_array_4[j] = base64_chars.find(char_array_4[j]) & 0xff;
+    in_++;
+
+    if (i == 4) {
+      for (i = 0; i < 4; i++) {
+        if (char_array_4[i] != 0) {
+          char_array_4[i] = base64_chars.find(char_array_4[i]) & 0xff;
+        }
+      }
+
+      char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 
4);
+      char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 
0x3c) >> 2);
+      char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
+
+      block_padding = padding_count;
 

Review Comment:
   `base64_decode` currently treats '=' as padding but doesn't validate the RFC 
4648 requirement that the unused bits in the final quantum are zero. As a 
result, some incorrectly padded inputs decode successfully (e.g. "Zn==" decodes 
to "f" even though with '==' padding the low 4 bits of the second sextet must 
be 0; similarly with single '=' padding the low 2 bits of the third sextet must 
be 0). Consider adding explicit checks after mapping to sextets and returning 
`Status::Invalid` when these trailing bits are non-zero so "incorrect padding" 
is fully rejected.
   ```suggestion
         block_padding = padding_count;
         if (block_padding == 2 && (char_array_4[1] & 0x0f) != 0) {
           return Status::Invalid("Invalid base64 input: incorrect padding");
         }
         if (block_padding == 1 && (char_array_4[2] & 0x03) != 0) {
           return Status::Invalid("Invalid base64 input: incorrect padding");
         }
   
         char_array_3[0] = (char_array_4[0] << 2) + ((char_array_4[1] & 0x30) 
>> 4);
         char_array_3[1] = ((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 
0x3c) >> 2);
         char_array_3[2] = ((char_array_4[2] & 0x3) << 6) + char_array_4[3];
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] GH-49614: [C++] Fix silent truncation in base64_decode on invalid input [arrow]

Reply via email to