[EMAIL PROTECTED] writes:
> I discovered a buffer overflow bug in the base64_encode() function,
> located at line 1905 in file src\utils.c. Note that this bug is in the
> latest version of the program (version 1.10.2) The bug appears to be that
> the function is assuming that the input data is a size that is an even
> multiple of 3 bytes. No doubt this is due to the fact that the base 64
> algorithm is converting data to base 64 three bytes at a time. The
> problem here is that if the block of data is not an even multiple of 3
> bytes, then the last group of bytes will be either 1 or 2 bytes long.
> This means that the only the last 1 or 2 bytes should be used in the base
> 64 algorithm.
You're right; thanks for reporting this. I have now installed this fix:
2006-06-19 Hrvoje Niksic <[EMAIL PROTECTED]>
* utils.c (base64_encode): Would read past end of STR.
Reported by [EMAIL PROTECTED]
Index: src/utils.c
===================================================================
--- src/utils.c (revision 2151)
+++ src/utils.c (working copy)
@@ -1912,26 +1912,35 @@
'w','x','y','z','0','1','2','3',
'4','5','6','7','8','9','+','/'
};
- int i;
const unsigned char *s = (const unsigned char *) str;
+ const unsigned char *end = (const unsigned char *) str + length - 2;
char *p = b64store;
/* Transform the 3x8 bits to 4x6 bits, as required by base64. */
- for (i = 0; i < length; i += 3)
+ for (; s < end; s += 3)
{
*p++ = tbl[s[0] >> 2];
*p++ = tbl[((s[0] & 3) << 4) + (s[1] >> 4)];
*p++ = tbl[((s[1] & 0xf) << 2) + (s[2] >> 6)];
*p++ = tbl[s[2] & 0x3f];
- s += 3;
}
/* Pad the result if necessary... */
- if (i == length + 1)
- *(p - 1) = '=';
- else if (i == length + 2)
- *(p - 1) = *(p - 2) = '=';
-
+ switch (length % 3)
+ {
+ case 1:
+ *p++ = tbl[s[0] >> 2];
+ *p++ = tbl[(s[0] & 3) << 4];
+ *p++ = '=';
+ *p++ = '=';
+ break;
+ case 2:
+ *p++ = tbl[s[0] >> 2];
+ *p++ = tbl[((s[0] & 3) << 4) + (s[1] >> 4)];
+ *p++ = tbl[((s[1] & 0xf) << 2)];
+ *p++ = '=';
+ break;
+ }
/* ...and zero-terminate it. */
*p = '\0';
