base64: Extended validation to look for invalid characters (c92c30ed) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/base64.c

+44 −16

Original line number	Diff line number	Diff line
		@@ -40,22 +40,32 @@
		static const char table64[]=
		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

		static void decodeQuantum(unsigned char dest, const char src)
		static size_t decodeQuantum(unsigned char dest, const char src)
		{
		size_t padding = 0;
		const char s, p;
		unsigned long i, v, x = 0;

		for(i = 0, s = src; i < 4; i++, s++) {
		v = 0;

		if(*s == '=') {
		x = (x << 6);
		padding++;
		}
		else {
		p = table64;

		while(p && (p != *s)) {
		v++;
		p++;
		}

		if(p == s)
		x = (x << 6) + v;
		else if(*s == '=')
		x = (x << 6);
		else
		return 0;
		}
		}

		dest[2] = curlx_ultouc(x & 0xFFUL);
		@@ -63,6 +73,8 @@ static void decodeQuantum(unsigned char dest, const char src)
		dest[1] = curlx_ultouc(x & 0xFFUL);
		x >>= 8;
		dest[0] = curlx_ultouc(x & 0xFFUL);

		return 3 - padding;
		}

		/*
		@@ -86,9 +98,11 @@ CURLcode Curl_base64_decode(const char *src,
		size_t length = 0;
		size_t equalsTerm = 0;
		size_t i;
		size_t result;
		size_t numQuantums;
		unsigned char lastQuantum[3];
		size_t rawlen = 0;
		unsigned char *pos;
		unsigned char *newstr;

		*outptr = NULL;
		@@ -125,24 +139,38 @@ CURLcode Curl_base64_decode(const char *src,
		if(!newstr)
		return CURLE_OUT_OF_MEMORY;

		*outptr = newstr;
		pos = newstr;

		/* Decode all but the last quantum (which may not decode to a
		multiple of 3 bytes) */
		for(i = 0; i < numQuantums - 1; i++) {
		decodeQuantum(newstr, src);
		newstr += 3; src += 4;
		result = decodeQuantum(pos, src);
		if(!result) {
		Curl_safefree(newstr);

		return CURLE_BAD_CONTENT_ENCODING;
		}

		pos += result;
		src += 4;
		}

		/* Decode the last quantum */
		decodeQuantum(lastQuantum, src);
		result = decodeQuantum(lastQuantum, src);
		if(!result) {
		Curl_safefree(newstr);

		return CURLE_BAD_CONTENT_ENCODING;
		}

		for(i = 0; i < 3 - equalsTerm; i++)
		newstr[i] = lastQuantum[i];
		pos[i] = lastQuantum[i];

		/* Zero terminate */
		newstr[i] = '\0';
		pos[i] = '\0';

		/* Return the size of decoded data */
		/* Return the decoded data */
		*outptr = newstr;
		*outlen = rawlen;

		return CURLE_OK;

tests/unit/unit1302.c

+8 −9

Original line number	Diff line number	Diff line
		@@ -5,7 +5,7 @@
		* \| (__\| \|_\| \| _ <\| \|___
		* \___\|\___/\|_\| \_\_____\|
		*
		* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
		* Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
		*
		* This software is licensed as described in the file COPYING, which
		* you should have received as part of this distribution. The terms
		@@ -128,13 +128,12 @@ fail_unless(rc == CURLE_BAD_CONTENT_ENCODING, "return code should be CURLE_BAD_C
		fail_unless(size == 0, "size should be 0");
		fail_if(decoded, "returned pointer should be NULL");

		/* this is garbage input that libcurl decodes as far as possible */
		size = 0;
		decoded = NULL;
		/* This is garbage input as it contains an illegal base64 character */
		size = 1; /* not zero */
		decoded = &anychar; /* not NULL */
		rc = Curl_base64_decode("a\x1f==", &decoded, &size);
		fail_unless(rc == CURLE_OK, "return code should be CURLE_OK");
		fail_unless(size == 1, "size should be 1");
		fail_if(!decoded, "returned pointer should not be NULL");
		Curl_safefree(decoded);
		fail_unless(rc == CURLE_BAD_CONTENT_ENCODING, "return code should be CURLE_BAD_CONTENT_ENCODING");
		fail_unless(size == 0, "size should be 0");
		fail_if(decoded, "returned pointer should be NULL");

		UNITTEST_STOP

Admin message