From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 9F3A06EC59;
	Tue,  9 Mar 2021 13:00:09 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 9F3A06EC59
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1615284009; bh=zTelQoKEpt4K/3L8bryAXgqj96fD5LNOsN64Y1MkIEs=;
	h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=eL8UAtM0LfxTrgoDsvcnRTIeGqtaTBD+DV6JTn1MY3TwqcSvecQn/YvGYUtOF4h0E
	 BzKOnSq5XE3QzQlOvlk0dz0z1KZZ88qoynOMZG0MkbrpnB3zLwXMKkjVxtWWtAEFHm
	 dIVOyJJuimr89rp+8hcLJqntjRT4NRFPJ2v9KgEE=
Received: from smtpng3.m.smailru.net (smtpng3.m.smailru.net [94.100.177.149])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id CB8826EC59
 for <tarantool-patches@dev.tarantool.org>;
 Tue,  9 Mar 2021 13:00:07 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org CB8826EC59
Received: by smtpng3.m.smailru.net with esmtpa (envelope-from
 <void@tarantool.org>)
 id 1lJZ9q-0003uA-8q; Tue, 09 Mar 2021 13:00:06 +0300
To: tarantool-patches@dev.tarantool.org
Date: Tue,  9 Mar 2021 12:59:56 +0300
Message-Id: <7214add2c7f2a86265a5e08f2184029a19fc184d.1615283860.git.void@tarantool.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD9D3134714A9BDB69B6D9CBB8C4C1E2C2453F3F16C3D6F3AC500894C459B0CD1B9E898772DD35C4AAFF5A256B17314154C9B0DE9CFAF91FC4A012184F85FB44711
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE704BA85F3D5A9F85BEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006370EBB47D88F71BB738638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FC7225A717A9B59409E2F797D597C14A844AB9361A48CFAD01389733CBF5DBD5E913377AFFFEAFD269A417C69337E82CC2CC7F00164DA146DAFE8445B8C89999729449624AB7ADAF37F6B57BC7E64490611E7FA7ABCAF51C92176DF2183F8FC7C07E7E81EEA8A9722B8941B15DA834481F9449624AB7ADAF3735872C767BF85DA29E625A9149C048EE0A3850AC1BE2E73557739F23D657EF2BC8A9BA7A39EFB7666BA297DBC24807EA089D37D7C0E48F6C8AA50765F7900637A63D8D502DFAF8B5731C566533BA786A40A5AABA2AD371193C9F3DD0FB1AF5EBF64ED337B09931FD27F269C8F02392CD5571747095F342E88FB05168BE4CE3AF
X-C1DE0DAB: C20DE7B7AB408E4181F030C43753B8186998911F362727C414F749A5E30D975C1F4A82545730C76168BC84AF92A190293BC8C23DC99BDAE29C2B6934AE262D3EE7EAB7254005DCED3A96BCF046FC1CF19510FB958DCE06DB6ED91DBE5ABE359ADBCB5631A0A9D21F5E4DBAB5AF249FA793EDB24507CE13387DFF0A840B692CF8
X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D34E9B0C12ABED551370405B1DE8545B2A5A96A3484133DFE2BCF9D37E3D69539A46674153529F13DAB1D7E09C32AA3244CAC18C105E232887A926E386BC137BA8E435BF7150578642F83B48618A63566E0
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojUqxEkzHTt/h2aJOA7raCZg==
X-Mailru-Sender: 689FA8AB762F73936BC43F508A063822AEA9734F1F284698DC303614FDDBDE5DDD675A873A6B1A573284F99205A65E8EFB559BB5D741EB966AABCD5B59A9F6DF9ABAAAF6BC5F075B67EA787935ED9F1B
X-Mras: Ok
Subject: [Tarantool-patches] [PATCH v8] base64: fix decoder output buffer
 overrun (reads)
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Sergey Nikiforov via Tarantool-patches
 <tarantool-patches@dev.tarantool.org>
Reply-To: Sergey Nikiforov <void@tarantool.org>
Cc: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>,
 Alexander Turenko <alexander.turenko@tarantool.org>
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

Was caught by base64 test with enabled ASAN.

It also caused data corruption - garbage instead of "extra bits" was
saved into state->result if there was no space in output buffer.

Decode state removed along with helper functions.

Added test for "zero-sized output buffer" case.

Fixes: #3069
---

Branch: https://github.com/tarantool/tarantool/tree/void234/gh-3069-fix-base64-memory-overrun-v8
Issue: https://github.com/tarantool/tarantool/issues/3069

 test/unit/base64.c      |  16 +++++-
 test/unit/base64.result |   5 +-
 third_party/base64.c    | 117 +++++++++++-----------------------------
 3 files changed, 51 insertions(+), 87 deletions(-)

diff --git a/test/unit/base64.c b/test/unit/base64.c
index cc74f64d1..508877217 100644
--- a/test/unit/base64.c
+++ b/test/unit/base64.c
@@ -75,9 +75,22 @@ base64_invalid_chars_test(void)
 	check_plan();
 }
 
+static void
+base64_no_space_test(void)
+{
+	plan(1);
+
+	const char *const in = "sIIpHw==";
+	const int in_len = strlen(in);
+	const int rc = base64_decode(in, in_len, NULL, 0);
+	is(rc, 0, "no space in out buffer");
+
+	check_plan();
+}
+
 int main(int argc, char *argv[])
 {
-	plan(29);
+	plan(30);
 	header();
 
 	const char *option_tests[] = {
@@ -96,6 +109,7 @@ int main(int argc, char *argv[])
 	}
 
 	base64_invalid_chars_test();
+	base64_no_space_test();
 
 	footer();
 	return check_plan();
diff --git a/test/unit/base64.result b/test/unit/base64.result
index 3bc2c2275..495e2d0a2 100644
--- a/test/unit/base64.result
+++ b/test/unit/base64.result
@@ -1,4 +1,4 @@
-1..29
+1..30
 	*** main ***
     1..3
     ok 1 - length
@@ -178,4 +178,7 @@ ok 28 - subtests
     1..1
     ok 1 - ignoring invalid chars
 ok 29 - subtests
+    1..1
+    ok 1 - no space in out buffer
+ok 30 - subtests
 	*** main: done ***
diff --git a/third_party/base64.c b/third_party/base64.c
index 7c69315ea..1990fd49c 100644
--- a/third_party/base64.c
+++ b/third_party/base64.c
@@ -202,14 +202,6 @@ base64_encode(const char *in_bin, int in_len,
 
 /* {{{ decode */
 
-enum base64_decodestep { step_a, step_b, step_c, step_d };
-
-struct base64_decodestate
-{
-	enum base64_decodestep step;
-	char result;
-};
-
 static int
 base64_decode_value(int value)
 {
@@ -231,17 +223,9 @@ base64_decode_value(int value)
 	return decoding[codepos];
 }
 
-static inline void
-base64_decodestate_init(struct base64_decodestate *state)
-{
-	state->step = step_a;
-	state->result = 0;
-}
-
-static int
-base64_decode_block(const char *in_base64, int in_len,
-		    char *out_bin, int out_len,
-		    struct base64_decodestate *state)
+int
+base64_decode(const char *in_base64, int in_len,
+	      char *out_bin, int out_len)
 {
 	const char *in_pos = in_base64;
 	const char *in_end = in_base64 + in_len;
@@ -249,76 +233,39 @@ base64_decode_block(const char *in_base64, int in_len,
 	char *out_end = out_bin + out_len;
 	int fragment;
 
-	*out_pos = state->result;
-
-	switch (state->step)
+	while (1)
 	{
-		while (1)
-		{
-	case step_a:
-			do {
-				if (in_pos == in_end || out_pos >= out_end)
-				{
-					state->step = step_a;
-					state->result = *out_pos;
-					return out_pos - out_bin;
-				}
-				fragment = base64_decode_value(*in_pos++);
-			} while (fragment < 0);
-			*out_pos    = (fragment & 0x03f) << 2;
-	case step_b:
-			do {
-				if (in_pos == in_end || out_pos >= out_end)
-				{
-					state->step = step_b;
-					state->result = *out_pos;
-					return out_pos - out_bin;
-				}
-				fragment = base64_decode_value(*in_pos++);
-			} while (fragment < 0);
-			*out_pos++ |= (fragment & 0x030) >> 4;
-			if (out_pos < out_end)
-				*out_pos = (fragment & 0x00f) << 4;
-	case step_c:
-			do {
-				if (in_pos == in_end || out_pos >= out_end)
-				{
-					state->step = step_c;
-					state->result = *out_pos;
-					return out_pos - out_bin;
-				}
-				fragment = base64_decode_value(*in_pos++);
-			} while (fragment < 0);
-			*out_pos++ |= (fragment & 0x03c) >> 2;
-			if (out_pos < out_end)
-				*out_pos = (fragment & 0x003) << 6;
-	case step_d:
-			do {
-				if (in_pos == in_end || out_pos >= out_end)
-				{
-					state->step = step_d;
-					state->result = *out_pos;
-					return out_pos - out_bin;
-				}
-				fragment = base64_decode_value(*in_pos++);
-			} while (fragment < 0);
-			*out_pos++   |= (fragment & 0x03f);
-		}
+		do {
+			if (in_pos == in_end || out_pos >= out_end)
+				return out_pos - out_bin;
+			fragment = base64_decode_value(*in_pos++);
+		} while (fragment < 0);
+		*out_pos = (fragment & 0x03f) << 2;
+		do {
+			if (in_pos == in_end || out_pos >= out_end)
+				return out_pos - out_bin;
+			fragment = base64_decode_value(*in_pos++);
+		} while (fragment < 0);
+		*out_pos++ |= (fragment & 0x030) >> 4;
+		if (out_pos < out_end)
+			*out_pos = (fragment & 0x00f) << 4;
+		do {
+			if (in_pos == in_end || out_pos >= out_end)
+				return out_pos - out_bin;
+			fragment = base64_decode_value(*in_pos++);
+		} while (fragment < 0);
+		*out_pos++ |= (fragment & 0x03c) >> 2;
+		if (out_pos < out_end)
+			*out_pos = (fragment & 0x003) << 6;
+		do {
+			if (in_pos == in_end || out_pos >= out_end)
+				return out_pos - out_bin;
+			fragment = base64_decode_value(*in_pos++);
+		} while (fragment < 0);
+		*out_pos++ |= (fragment & 0x03f);
 	}
 	/* control should not reach here */
 	return out_pos - out_bin;
 }
 
-
-
-int
-base64_decode(const char *in_base64, int in_len,
-	      char *out_bin, int out_len)
-{
-	struct base64_decodestate state;
-	base64_decodestate_init(&state);
-	return base64_decode_block(in_base64, in_len,
-				   out_bin, out_len, &state);
-}
-
 /* }}} */
-- 
2.25.1