From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id AEE9684390; Mon, 11 Jan 2021 12:45:46 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org AEE9684390 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1610358346; bh=KSlLswryTF6BBve7zdZ+VBp3qxc4VoSlClrt0lT+z5o=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=JvVIFIbsUewraAQ/vRrE4L77fpX4mLdr1DW9eql5tseH9g1pOU732VklbLmKZ1jol p0OgHoNp8ors11ssaJTUdVulIf2LKNx7LFgAjORlaS+DXTKEaPdRI3eIi1b1BYp7LH okFJvdq/xpkTosr5NTp87ZOmYOwBceFUtAsxSbPQ= Received: from smtpng3.m.smailru.net (smtpng3.m.smailru.net [94.100.177.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 5201B84390 for ; Mon, 11 Jan 2021 12:45:25 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 5201B84390 Received: by smtpng3.m.smailru.net with esmtpa (envelope-from ) id 1kytlM-00039R-80; Mon, 11 Jan 2021 12:45:24 +0300 To: tarantool-patches@dev.tarantool.org Date: Mon, 11 Jan 2021 12:45:00 +0300 Message-Id: <7f5ce3321cda6d4305282af486ed2f493b920d1f.1610357625.git.void@tarantool.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD9D0E79FBC973162CDDA1A336500443B3AD46BC604C28ED16A00894C459B0CD1B94632C35851C0B03A94310C42E63BA55D415C8B29C57F0A26033FDC616F2E6AF2 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE79E448936ADEE6ED1C2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6778DA827A17800CE71F31443D278F8A69EA1F7E6F0F101C674E70A05D1297E1BBC6CDE5D1141D2B1C49D21CCBE858EFA1E55A2485AE4BB5F63EFAEFC720026E679FA2833FD35BB23D9E625A9149C048EE4B6963042765DA4B618001F51B5FD3F9D2E47CDBA5A96583BD4B6F7A4D31EC0BC014FD901B82EE079FA2833FD35BB23D27C277FBC8AE2E8BAA867293B0326636D2E47CDBA5A96583BA9C0B312567BB23089D37D7C0E48F6CA18204E546F3947C1C26F9D97AE30D3A42539A7722CA490CC8A9BA7A39EFB7666BA297DBC24807EA089D37D7C0E48F6C8AA50765F790063709FA1247F8E46FACEFF80C71ABB335746BA297DBC24807EA27F269C8F02392CDC58410348177836EABEDDA51113D120200306258E7E6ABB4E4A6367B16DE6309 X-C1DE0DAB: C20DE7B7AB408E4181F030C43753B8186998911F362727C414F749A5E30D975CFA107D2111241699B347191074207E72C67B3F2D08706EC99C2B6934AE262D3EE7EAB7254005DCED7532B743992DF240BDC6A1CF3F042BAD6DF99611D93F60EF31C0090ACECF247D699F904B3F4130E343918A1A30D5E7FCCB5012B2E24CD356 X-C8649E89: 4E36BF7865823D7055A7F0CF078B5EC49A30900B95165D34738A88CA0C70A558D53F56B6855CDDF2AB6692FAF113BAAFA57747FF5DCDECD6460A693C13358ADD1D7E09C32AA3244C861478E6AF441AFFD6CED8ECB20376B0B038C9161EF167A183B48618A63566E0 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojmz2Dv49v36i7R9Lw/9SEcg== X-Mailru-Sender: 689FA8AB762F73937240DDB2502DDB70091E819D0723040FE1923652C6C738DEDD675A873A6B1A573284F99205A65E8EFB559BB5D741EB966AABCD5B59A9F6DF9ABAAAF6BC5F075B67EA787935ED9F1B X-Mras: Ok Subject: [Tarantool-patches] [PATCH v6 1/2] base64: fix decoder output buffer overrun (reads) X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Nikiforov via Tarantool-patches Reply-To: Sergey Nikiforov Cc: Vladislav Shpilevoy , Alexander Turenko Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Was caught by base64 test with enabled ASAN. It also caused data corruption - garbage instead of "extra bits" was saved into state->result if there was no space in output buffer. Added test for "zero-sized output buffer" case. Fixes: #3069 --- Branch: https://github.com/tarantool/tarantool/tree/void234/gh-3069-fix-base64-memory-overrun-v6 Issue: https://github.com/tarantool/tarantool/issues/3069 test/unit/base64.c | 16 +++++++++++++++- test/unit/base64.result | 5 ++++- third_party/base64.c | 28 +++++++++++++++++----------- 3 files changed, 36 insertions(+), 13 deletions(-) diff --git a/test/unit/base64.c b/test/unit/base64.c index cc74f64d1..508877217 100644 --- a/test/unit/base64.c +++ b/test/unit/base64.c @@ -75,9 +75,22 @@ base64_invalid_chars_test(void) check_plan(); } +static void +base64_no_space_test(void) +{ + plan(1); + + const char *const in = "sIIpHw=="; + const int in_len = strlen(in); + const int rc = base64_decode(in, in_len, NULL, 0); + is(rc, 0, "no space in out buffer"); + + check_plan(); +} + int main(int argc, char *argv[]) { - plan(29); + plan(30); header(); const char *option_tests[] = { @@ -96,6 +109,7 @@ int main(int argc, char *argv[]) } base64_invalid_chars_test(); + base64_no_space_test(); footer(); return check_plan(); diff --git a/test/unit/base64.result b/test/unit/base64.result index 3bc2c2275..495e2d0a2 100644 --- a/test/unit/base64.result +++ b/test/unit/base64.result @@ -1,4 +1,4 @@ -1..29 +1..30 *** main *** 1..3 ok 1 - length @@ -178,4 +178,7 @@ ok 28 - subtests 1..1 ok 1 - ignoring invalid chars ok 29 - subtests + 1..1 + ok 1 - no space in out buffer +ok 30 - subtests *** main: done *** diff --git a/third_party/base64.c b/third_party/base64.c index 7c69315ea..3ecd0843a 100644 --- a/third_party/base64.c +++ b/third_party/base64.c @@ -248,8 +248,9 @@ base64_decode_block(const char *in_base64, int in_len, char *out_pos = out_bin; char *out_end = out_bin + out_len; int fragment; + char curr_byte; - *out_pos = state->result; + curr_byte = state->result; switch (state->step) { @@ -260,49 +261,54 @@ base64_decode_block(const char *in_base64, int in_len, if (in_pos == in_end || out_pos >= out_end) { state->step = step_a; - state->result = *out_pos; + state->result = curr_byte; return out_pos - out_bin; } fragment = base64_decode_value(*in_pos++); } while (fragment < 0); - *out_pos = (fragment & 0x03f) << 2; + curr_byte = (fragment & 0x03f) << 2; case step_b: do { if (in_pos == in_end || out_pos >= out_end) { state->step = step_b; - state->result = *out_pos; + state->result = curr_byte; return out_pos - out_bin; } fragment = base64_decode_value(*in_pos++); } while (fragment < 0); - *out_pos++ |= (fragment & 0x030) >> 4; + curr_byte |= (fragment & 0x030) >> 4; + *out_pos++ = curr_byte; + curr_byte = (fragment & 0x00f) << 4; if (out_pos < out_end) - *out_pos = (fragment & 0x00f) << 4; + *out_pos = curr_byte; case step_c: do { if (in_pos == in_end || out_pos >= out_end) { state->step = step_c; - state->result = *out_pos; + state->result = curr_byte; return out_pos - out_bin; } fragment = base64_decode_value(*in_pos++); } while (fragment < 0); - *out_pos++ |= (fragment & 0x03c) >> 2; + curr_byte |= (fragment & 0x03c) >> 2; + *out_pos++ = curr_byte; + curr_byte = (fragment & 0x003) << 6; if (out_pos < out_end) - *out_pos = (fragment & 0x003) << 6; + *out_pos = curr_byte; case step_d: do { if (in_pos == in_end || out_pos >= out_end) { state->step = step_d; - state->result = *out_pos; + state->result = curr_byte; return out_pos - out_bin; } fragment = base64_decode_value(*in_pos++); } while (fragment < 0); - *out_pos++ |= (fragment & 0x03f); + curr_byte |= (fragment & 0x03f); + *out_pos++ = curr_byte; } } /* control should not reach here */ -- 2.25.1