Fix dec64table[] OOB read in b64decode()

Possible values for y at this point are 0..255.  However, dec64table[]
only has 128 entries and hence valid indexes are 0..127.  The values of
y greater than 127 trigger out of bounds read.  As dec64table[] is in
the data segment, the OOB access is not detected by tools as valgrind or
ASAN.  This adds a check to ensure y is less than or equal to 127, just
like in other cases where dec64table[] is accessed.

Note that removal of the y == 0 condition is not a problem, as
dec64table[0] == 255, so the second part of the condition is true.

diff --git a/src/src/base64.c b/src/src/base64.c
index dbbd6a40e0cdf6e91dfc1cf9e60bcb2a8e9a5d4c..e63522ec4d5bc4a002bc8ca84fcd40a63339ddc4 100644 (file)
--- a/src/src/base64.c
+++ b/src/src/base64.c
@@ -173,7 +173,7 @@ while ((x = *code++) != 0)
 
   while (isspace(y = *code++)) ;
   /* debug_printf("b64d: '%c'\n", y); */
-  if (y == 0 || (y = dec64table[y]) == 255)
+  if (y > 127 || (y = dec64table[y]) == 255)
     return -1;
 
   *result++ = (x << 2) | (y >> 4);