Commit 0771d33b authored by Edward Catmur's avatar Edward Catmur

Don't read past the end of the decode out buffer.

If we finish decoding in step_a state, there is no current output character, so reading *plainchar will either be an uninitialized read or (if the output buffer is minimally sized) a past-the-end read.

Detected by -fsanitize=address.
parent 065181a1
...@@ -268,12 +268,24 @@ KJ_TEST("C escape encoding/decoding") { ...@@ -268,12 +268,24 @@ KJ_TEST("C escape encoding/decoding") {
} }
KJ_TEST("base64 encoding/decoding") { KJ_TEST("base64 encoding/decoding") {
{
auto encoded = encodeBase64(StringPtr("").asBytes(), false);
KJ_EXPECT(encoded == "", encoded, encoded.size());
KJ_EXPECT(heapString(decodeBase64(encoded.asArray()).asChars()) == "");
}
{ {
auto encoded = encodeBase64(StringPtr("foo").asBytes(), false); auto encoded = encodeBase64(StringPtr("foo").asBytes(), false);
KJ_EXPECT(encoded == "Zm9v", encoded, encoded.size()); KJ_EXPECT(encoded == "Zm9v", encoded, encoded.size());
KJ_EXPECT(heapString(decodeBase64(encoded.asArray()).asChars()) == "foo"); KJ_EXPECT(heapString(decodeBase64(encoded.asArray()).asChars()) == "foo");
} }
{
auto encoded = encodeBase64(StringPtr("quux").asBytes(), false);
KJ_EXPECT(encoded == "cXV1eA==", encoded, encoded.size());
KJ_EXPECT(heapString(decodeBase64(encoded.asArray()).asChars()) == "quux");
}
{ {
auto encoded = encodeBase64(StringPtr("corge").asBytes(), false); auto encoded = encodeBase64(StringPtr("corge").asBytes(), false);
KJ_EXPECT(encoded == "Y29yZ2U=", encoded); KJ_EXPECT(encoded == "Y29yZ2U=", encoded);
......
...@@ -697,7 +697,7 @@ int base64_decode_block(const char* code_in, const int length_in, ...@@ -697,7 +697,7 @@ int base64_decode_block(const char* code_in, const int length_in,
do { do {
if (codechar == code_in+length_in) { if (codechar == code_in+length_in) {
state_in->step = step_a; state_in->step = step_a;
state_in->plainchar = *plainchar; state_in->plainchar = '\0';
return plainchar - plaintext_out; return plainchar - plaintext_out;
} }
fragment = (char)base64_decode_value(*codechar++); fragment = (char)base64_decode_value(*codechar++);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment