From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 32C526EC5B; Mon, 1 Mar 2021 15:31:19 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 32C526EC5B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1614601879; bh=J8ykE9DF21EBEPyw6gx001ZOTQcsy/mY3qbHMzE7Z3s=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=gtwIl/4T0YfJAlukIZwvs47Y2n/Y7mIO6r/90rnyvqi7M65ZQ3OFMy7S/7WY0OGUy NhMzwLIcP4disgjDX5gXDWPqkbzzU4yuGkm1iCacdE2zJ1kkL2T/pMX8Jyu49yeYtL I9NJtF7CUbpRfk19Pj0ddAoOHLs0/0yNluA9UIqg= Received: from smtpng3.m.smailru.net (smtpng3.m.smailru.net [94.100.177.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 93DCC6EC5B for ; Mon, 1 Mar 2021 15:31:17 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 93DCC6EC5B Received: by smtpng3.m.smailru.net with esmtpa (envelope-from ) id 1lGhhj-0005TF-U7; Mon, 01 Mar 2021 15:31:16 +0300 To: tarantool-patches@dev.tarantool.org Date: Mon, 1 Mar 2021 15:31:08 +0300 Message-Id: <5cbe765bbcfaa1d23a0ffa3ee29e74e2089f7466.1614601625.git.void@tarantool.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9795828B892398B723A23F4EA2EA8E6AEB2905550DA6E54AB182A05F538085040649EA62D3F7CEE980FE002CD299EB235AA9BE5C77EFEF55374EEEFC4DFC65934 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7747FD4AFDBA6C67AEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637BBCE7257090F96C9EA1F7E6F0F101C67CDEEF6D7F21E0D1D174C73DBBBFC7664BB6531C443022E25C45669F70AEBA92097115B52386E1EDD389733CBF5DBD5E913377AFFFEAFD269A417C69337E82CC2CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92A417C69337E82CC2CC7F00164DA146DA6F5DAA56C3B73B23C77107234E2CFBA567F23339F89546C55F5C1EE8F4F765FCAEB924C2B054B06E75ECD9A6C639B01BBD4B6F7A4D31EC0BC0CAF46E325F83A522CA9DD8327EE4930A3850AC1BE2E735A3CCBC2573AEBDE1C4224003CC836476C0CAF46E325F83A50BF2EBBBDD9D6B0F5D41B9178041F3E72623479134186CDE6BA297DBC24807EABDAD6C7F3747799A X-C1DE0DAB: C20DE7B7AB408E4181F030C43753B8186998911F362727C414F749A5E30D975C25752893F242F32C54D49A12DFE38FF730D4B13AFA2382809C2B6934AE262D3EE7EAB7254005DCED3A96BCF046FC1CF19510FB958DCE06DB6ED91DBE5ABE359ADBCB5631A0A9D21F5E4DBAB5AF249FA793EDB24507CE13387DFF0A840B692CF8 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D34806D3522FB05EB3930DC294288370AB7E842B249DB13D335D0A1B874025A38FE9ACED9DA493DD7701D7E09C32AA3244C38D622B1327E74D87D7721F8674B5DCBF94338140B71B8EE83B48618A63566E0 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojnpKwxR6GFbsZQtkU2r4NNQ== X-Mailru-Sender: 689FA8AB762F73936BC43F508A06382263515CD51BB0A78E90BE92CCE28A5C93DD675A873A6B1A573284F99205A65E8EFB559BB5D741EB966AABCD5B59A9F6DF9ABAAAF6BC5F075B67EA787935ED9F1B X-Mras: Ok Subject: [Tarantool-patches] [PATCH v7] base64: fix decoder output buffer overrun (reads) X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Nikiforov via Tarantool-patches Reply-To: Sergey Nikiforov Cc: Vladislav Shpilevoy , Alexander Turenko Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Was caught by base64 test with enabled ASAN. It also caused data corruption - garbage instead of "extra bits" was saved into state->result if there was no space in output buffer. Decode state removed along with helper functions. Added test for "zero-sized output buffer" case. Fixes: #3069 --- Branch: https://github.com/tarantool/tarantool/tree/void234/gh-3069-fix-base64-memory-overrun-v7 Issue: https://github.com/tarantool/tarantool/issues/3069 test/unit/base64.c | 16 +++++- test/unit/base64.result | 5 +- third_party/base64.c | 123 +++++++++++++--------------------------- 3 files changed, 57 insertions(+), 87 deletions(-) diff --git a/test/unit/base64.c b/test/unit/base64.c index cc74f64d1..508877217 100644 --- a/test/unit/base64.c +++ b/test/unit/base64.c @@ -75,9 +75,22 @@ base64_invalid_chars_test(void) check_plan(); } +static void +base64_no_space_test(void) +{ + plan(1); + + const char *const in = "sIIpHw=="; + const int in_len = strlen(in); + const int rc = base64_decode(in, in_len, NULL, 0); + is(rc, 0, "no space in out buffer"); + + check_plan(); +} + int main(int argc, char *argv[]) { - plan(29); + plan(30); header(); const char *option_tests[] = { @@ -96,6 +109,7 @@ int main(int argc, char *argv[]) } base64_invalid_chars_test(); + base64_no_space_test(); footer(); return check_plan(); diff --git a/test/unit/base64.result b/test/unit/base64.result index 3bc2c2275..495e2d0a2 100644 --- a/test/unit/base64.result +++ b/test/unit/base64.result @@ -1,4 +1,4 @@ -1..29 +1..30 *** main *** 1..3 ok 1 - length @@ -178,4 +178,7 @@ ok 28 - subtests 1..1 ok 1 - ignoring invalid chars ok 29 - subtests + 1..1 + ok 1 - no space in out buffer +ok 30 - subtests *** main: done *** diff --git a/third_party/base64.c b/third_party/base64.c index 7c69315ea..8304adaa3 100644 --- a/third_party/base64.c +++ b/third_party/base64.c @@ -202,14 +202,6 @@ base64_encode(const char *in_bin, int in_len, /* {{{ decode */ -enum base64_decodestep { step_a, step_b, step_c, step_d }; - -struct base64_decodestate -{ - enum base64_decodestep step; - char result; -}; - static int base64_decode_value(int value) { @@ -231,94 +223,55 @@ base64_decode_value(int value) return decoding[codepos]; } -static inline void -base64_decodestate_init(struct base64_decodestate *state) -{ - state->step = step_a; - state->result = 0; -} - -static int -base64_decode_block(const char *in_base64, int in_len, - char *out_bin, int out_len, - struct base64_decodestate *state) +int +base64_decode(const char *in_base64, int in_len, + char *out_bin, int out_len) { const char *in_pos = in_base64; const char *in_end = in_base64 + in_len; char *out_pos = out_bin; char *out_end = out_bin + out_len; int fragment; + char curr_byte; - *out_pos = state->result; - - switch (state->step) + while (1) { - while (1) - { - case step_a: - do { - if (in_pos == in_end || out_pos >= out_end) - { - state->step = step_a; - state->result = *out_pos; - return out_pos - out_bin; - } - fragment = base64_decode_value(*in_pos++); - } while (fragment < 0); - *out_pos = (fragment & 0x03f) << 2; - case step_b: - do { - if (in_pos == in_end || out_pos >= out_end) - { - state->step = step_b; - state->result = *out_pos; - return out_pos - out_bin; - } - fragment = base64_decode_value(*in_pos++); - } while (fragment < 0); - *out_pos++ |= (fragment & 0x030) >> 4; - if (out_pos < out_end) - *out_pos = (fragment & 0x00f) << 4; - case step_c: - do { - if (in_pos == in_end || out_pos >= out_end) - { - state->step = step_c; - state->result = *out_pos; - return out_pos - out_bin; - } - fragment = base64_decode_value(*in_pos++); - } while (fragment < 0); - *out_pos++ |= (fragment & 0x03c) >> 2; - if (out_pos < out_end) - *out_pos = (fragment & 0x003) << 6; - case step_d: - do { - if (in_pos == in_end || out_pos >= out_end) - { - state->step = step_d; - state->result = *out_pos; - return out_pos - out_bin; - } - fragment = base64_decode_value(*in_pos++); - } while (fragment < 0); - *out_pos++ |= (fragment & 0x03f); - } + do { + if (in_pos == in_end || out_pos >= out_end) + return out_pos - out_bin; + fragment = base64_decode_value(*in_pos++); + } while (fragment < 0); + curr_byte = (fragment & 0x03f) << 2; + do { + if (in_pos == in_end || out_pos >= out_end) + return out_pos - out_bin; + fragment = base64_decode_value(*in_pos++); + } while (fragment < 0); + curr_byte |= (fragment & 0x030) >> 4; + *out_pos++ = curr_byte; + curr_byte = (fragment & 0x00f) << 4; + if (out_pos < out_end) + *out_pos = curr_byte; + do { + if (in_pos == in_end || out_pos >= out_end) + return out_pos - out_bin; + fragment = base64_decode_value(*in_pos++); + } while (fragment < 0); + curr_byte |= (fragment & 0x03c) >> 2; + *out_pos++ = curr_byte; + curr_byte = (fragment & 0x003) << 6; + if (out_pos < out_end) + *out_pos = curr_byte; + do { + if (in_pos == in_end || out_pos >= out_end) + return out_pos - out_bin; + fragment = base64_decode_value(*in_pos++); + } while (fragment < 0); + curr_byte |= (fragment & 0x03f); + *out_pos++ = curr_byte; } /* control should not reach here */ return out_pos - out_bin; } - - -int -base64_decode(const char *in_base64, int in_len, - char *out_bin, int out_len) -{ - struct base64_decodestate state; - base64_decodestate_init(&state); - return base64_decode_block(in_base64, in_len, - out_bin, out_len, &state); -} - /* }}} */ -- 2.25.1