From 0003ea9c45cc8d2f57af760a92a35f371649714f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= Date: Tue, 19 Nov 2019 17:16:40 +0100 Subject: [PATCH] base64: fix possible null pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit clang-10 analyzer reports following: base64.c:325:20: warning: Array access (from variable 'target') results in a null pointer dereference target[tarindex] = 0; ~~~~~~ ^ and prepared test case confirms it: Invalid write of size 1 at 0x4E4463F: b64_decode (base64.c:325) by 0x40088C: test_invalid_inputs (tests/test-base64.c:26) by 0x40088C: main (tests/test-base64.c:32) Address 0x1 is not stack'd, malloc'd or (recently) free'd Process terminating with default action of signal 11 (SIGSEGV) Access not within mapped region at address 0x1 at 0x4E4463F: b64_decode (base64.c:325) by 0x40088C: test_invalid_inputs (tests/test-base64.c:26) by 0x40088C: main (tests/test-base64.c:32) Signed-off-by: Petr Štetiar --- base64.c | 6 ++++++ tests/cram/test_base64.t | 12 ++++++++++++ tests/test-b64_decode.c | 7 +++++++ tests/test-b64_encode.c | 7 +++++++ 4 files changed, 32 insertions(+) create mode 100644 tests/test-b64_decode.c create mode 100644 tests/test-b64_encode.c diff --git a/base64.c b/base64.c index 4759ede..1bf2177 100644 --- a/base64.c +++ b/base64.c @@ -65,6 +65,8 @@ #include #include #include + +#include "assert.h" #include "utils.h" static const char Base64[] = @@ -144,6 +146,8 @@ int b64_encode(const void *_src, size_t srclength, u_char output[4]; size_t i; + assert(dest && targsize > 0); + while (2 < srclength) { input[0] = *src++; input[1] = *src++; @@ -208,6 +212,8 @@ int b64_decode(const void *_src, void *dest, size_t targsize) state = 0; tarindex = 0; + assert(dest && targsize > 0); + while ((ch = (unsigned char)*src++) != '\0') { if (isspace(ch)) /* Skip whitespace anywhere. */ continue; diff --git a/tests/cram/test_base64.t b/tests/cram/test_base64.t index 4f8809f..0a7a9d5 100644 --- a/tests/cram/test_base64.t +++ b/tests/cram/test_base64.t @@ -19,3 +19,15 @@ check that base64 is producing expected results: 4 foob 5 fooba 6 foobar + +check that b64_encode and b64_decode assert invalid input + + $ alias check="egrep '(dumped|Assertion)' | sed 's;.*\(b64_.*code\).*\(Assertion.*$\);\1: \2;' | LC_ALL=C sort" + + $ test-b64_decode 2>&1 | check + Aborted (core dumped) + b64_decode: Assertion `dest && targsize > 0' failed. + + $ test-b64_encode 2>&1 | check + Aborted (core dumped) + b64_encode: Assertion `dest && targsize > 0' failed. diff --git a/tests/test-b64_decode.c b/tests/test-b64_decode.c new file mode 100644 index 0000000..4798fa8 --- /dev/null +++ b/tests/test-b64_decode.c @@ -0,0 +1,7 @@ +#include "utils.h" + +int main() +{ + b64_decode("Zg==", NULL, 2); + return 0; +} diff --git a/tests/test-b64_encode.c b/tests/test-b64_encode.c new file mode 100644 index 0000000..5f011e5 --- /dev/null +++ b/tests/test-b64_encode.c @@ -0,0 +1,7 @@ +#include "utils.h" + +int main() +{ + b64_encode("foo", 3, NULL, 2); + return 0; +}