Archivist
/
raylib-src
spogulis no https://github.com/raysan5/raylib
1
0
Atdalīts 0
Kods Problēmas 0 Laidieni 24 Vikivietne Aktivitāte
Pārlūkot izejas kodu

Fixing base64 decoding error when input string is bad (#5170) 

The following code would crash the previous version when calling MemFree:

	// 53 * A
        const char maliciousBase64Input[] = "AAAAAAAAAAAAAAAAAAAAAAAA"
		"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
        int decodedSize = 0;
        unsigned char *decodedData = DecodeDataBase64(
		maliciousBase64Input, &decodedSize);
        if (decodedData) {
		MemFree(decodedData);
        }

The reason is a lack of array bound checks in the decoding loop, which
corrupted here the heap (though this is platform dependent).

Adding the bound checks here prevents the memory corruption.

Tested with encoding random data of sizes 0-1023 and comparing it
with the decoded result.
pull/5174/head
Eike Decker pirms 1 mēnesi
committed by GitHub
vecāks
eb816898e5
revīzija
bd810368b0
Šim parakstam datu bāzē netika atrasta zināma atslēga GPG atslēgas ID: B5690EEEBB952194
1 mainītis faili ar 13 papildinājumiem un 2 dzēšanām
Dalītais skats
Salīdzināšanas iespējas
Rādīt statistiku Lejupielādēt ielāpa failu Lejupielādēt izmaiņu failu
  1. +13
    -2
      src/rcore.c

+ 13
- 2
src/rcore.c Parādīt failu

@ -2671,13 +2671,24 @@ unsigned char *DecodeDataBase64(const char *text, int *outputSize)
for (int i = 0; i < dataSize;)
{
// Every 4 sixtets must generate 3 octets
if (i + 2 >= dataSize)
{
TRACELOG(LOG_WARNING, "BASE64 decoding error: Input data size is not valid");
break;
}
unsigned int sixtetA = base64DecodeTable[(unsigned char)text[i]];
unsigned int sixtetB = base64DecodeTable[(unsigned char)text[i + 1]];
unsigned int sixtetC = ((unsigned char)text[i + 2] != '=')? base64DecodeTable[(unsigned char)text[i + 2]] : 0;
unsigned int sixtetD = ((unsigned char)text[i + 3] != '=')? base64DecodeTable[(unsigned char)text[i + 3]] : 0;
unsigned int sixtetC = (n">i + 2 < dataSize && (unsigned char)text[i + 2] != '=')? base64DecodeTable[(unsigned char)text[i + 2]] : 0;
unsigned int sixtetD = (n">i + 3 < dataSize && (unsigned char)text[i + 3] != '=')? base64DecodeTable[(unsigned char)text[i + 3]] : 0;
unsigned int octetPack = (sixtetA << 18) | (sixtetB << 12) | (sixtetC << 6) | sixtetD;
if (outputCount + 3 > maxOutputSize)
{
TRACELOG(LOG_WARNING, "BASE64 decoding: Output data size is too small");
break;
}
decodedData[outputCount + 0] = (octetPack >> 16) & 0xff;
decodedData[outputCount + 1] = (octetPack >> 8) & 0xff;
decodedData[outputCount + 2] = octetPack & 0xff;

Rakstīt Priekšskatītījums
Notiek ielāde…
Atcelt
Saglabāt