diff options
| -rw-r--r-- | src/liboutils/base64.c | 39 |
1 files changed, 24 insertions, 15 deletions
diff --git a/src/liboutils/base64.c b/src/liboutils/base64.c index 85974ab..a53060d 100644 --- a/src/liboutils/base64.c +++ b/src/liboutils/base64.c @@ -1,4 +1,6 @@ -/* $OpenBSD: base64.c,v 1.5 2006/10/21 09:55:03 otto Exp $ */ +/* $OpenBSD: base64.c,v 1.8 2015/01/16 16:48:51 deraadt Exp $ */ +/* Upstream: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/net/base64.c + * Identifiers are renamed! */ /* * Copyright (c) 1996 by Internet Software Consortium. @@ -43,7 +45,6 @@ */ #include <sys/types.h> -#include <sys/param.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> @@ -194,12 +195,13 @@ __b64_pton(src, target, targsize) size_t targsize; { int tarindex, state, ch; + u_char nextbyte; char *pos; state = 0; tarindex = 0; - while ((ch = *src++) != '\0') { + while ((ch = (unsigned char)*src++) != '\0') { if (isspace(ch)) /* Skip whitespace anywhere. */ continue; @@ -221,22 +223,28 @@ __b64_pton(src, target, targsize) break; case 1: if (target) { - if (tarindex + 1 >= targsize) + if (tarindex >= targsize) return (-1); target[tarindex] |= (pos - Base64) >> 4; - target[tarindex+1] = ((pos - Base64) & 0x0f) - << 4 ; + nextbyte = ((pos - Base64) & 0x0f) << 4; + if (tarindex + 1 < targsize) + target[tarindex+1] = nextbyte; + else if (nextbyte) + return (-1); } tarindex++; state = 2; break; case 2: if (target) { - if (tarindex + 1 >= targsize) + if (tarindex >= targsize) return (-1); target[tarindex] |= (pos - Base64) >> 2; - target[tarindex+1] = ((pos - Base64) & 0x03) - << 6; + nextbyte = ((pos - Base64) & 0x03) << 6; + if (tarindex + 1 < targsize) + target[tarindex+1] = nextbyte; + else if (nextbyte) + return (-1); } tarindex++; state = 3; @@ -258,8 +266,8 @@ __b64_pton(src, target, targsize) * on a byte boundary, and/or with erroneous trailing characters. */ - if (ch == Pad64) { /* We got a pad char. */ - ch = *src++; /* Skip it, get next. */ + if (ch == Pad64) { /* We got a pad char. */ + ch = (unsigned char)*src++; /* Skip it, get next. */ switch (state) { case 0: /* Invalid = in first position */ case 1: /* Invalid = in second position */ @@ -267,13 +275,13 @@ __b64_pton(src, target, targsize) case 2: /* Valid, means one byte of info */ /* Skip any number of spaces. */ - for (; ch != '\0'; ch = *src++) + for (; ch != '\0'; ch = (unsigned char)*src++) if (!isspace(ch)) break; /* Make sure there is another trailing = sign. */ if (ch != Pad64) return (-1); - ch = *src++; /* Skip the = */ + ch = (unsigned char)*src++; /* Skip the = */ /* Fall through to "single trailing =" case. */ /* FALLTHROUGH */ @@ -282,7 +290,7 @@ __b64_pton(src, target, targsize) * We know this char is an =. Is there anything but * whitespace after it? */ - for (; ch != '\0'; ch = *src++) + for (; ch != '\0'; ch = (unsigned char)*src++) if (!isspace(ch)) return (-1); @@ -292,7 +300,8 @@ __b64_pton(src, target, targsize) * zeros. If we don't check them, they become a * subliminal channel. */ - if (target && target[tarindex] != 0) + if (target && tarindex < targsize && + target[tarindex] != 0) return (-1); } } else { |