Possible values for y at this point are 0..255. However, dec64table[]
only has 128 entries and hence valid indexes are 0..127. The values of
y greater than 127 trigger out of bounds read. As dec64table[] is in
the data segment, the OOB access is not detected by tools as valgrind or
ASAN. This adds a check to ensure y is less than or equal to 127, just
like in other cases where dec64table[] is accessed.
Note that removal of the y == 0 condition is not a problem, as
dec64table[0] == 255, so the second part of the condition is true.
while (isspace(y = *code++)) ;
/* debug_printf("b64d: '%c'\n", y); */
while (isspace(y = *code++)) ;
/* debug_printf("b64d: '%c'\n", y); */
- if (y == 0 || (y = dec64table[y]) == 255)
+ if (y > 127 || (y = dec64table[y]) == 255)
return -1;
*result++ = (x << 2) | (y >> 4);
return -1;
*result++ = (x << 2) | (y >> 4);