On 25/05/16 14:32 +0200, Mark Wielaard wrote:
This issue was reported against the libb64 public domain code from which
rpmio/base64.c was derived. https://sourceforge.net/p/libb64/bugs/2/
The char signedness issue was already solved differently in our code,
but the array bounds check was missing in rpmio/base64.c.
N.B. the >= change was just merged here:
https://github.com/rpm-software-management/rpm/pull/68/files
The value_in < 43 check isn't strictly needed for RPM, because the
code was changed to use unsigned char (unlike upstream libb64 which
uses char), and so if value_in is less than 43 it will wrap to a
positive value greater than 212, which will fail the
sizeof(decoding)/sizeof(int) check.
Fixed suggested by Jakub Wilk and Jonathan Wakely.
Signed-off-by: Mark Wielaard
---
rpmio/base64.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/rpmio/base64.c b/rpmio/base64.c
index 60e67d4..a3767ca 100644
--- a/rpmio/base64.c
+++ b/rpmio/base64.c
@@ -103,8 +103,9 @@ char *rpmBase64Encode(const void *data, size_t len, int
linelen)
static int base64_decode_value(unsigned char value_in)
{
static const int decoding[] =
{62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
+ if (value_in < 43) return -1;
value_in -= 43;
- if (value_in > sizeof(decoding)/sizeof(int))
+ if (value_in >= sizeof(decoding)/sizeof(int))
return -1;
return decoding[value_in];
}
--
2.5.5
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
