From: Tomas Hoger Date: Wed, 7 Mar 2018 10:30:18 +0000 (+0100) Subject: Fix dec64table[] OOB read in b64decode() X-Git-Url: https://git.exim.org/users/jgh/exim.git/commitdiff_plain/889d293b45a5b0124aea16c41294860b3905a262?hp=71bb51e08dc03f768d19f237fed415bc74246de3 Fix dec64table[] OOB read in b64decode() Possible values for y at this point are 0..255. However, dec64table[] only has 128 entries and hence valid indexes are 0..127. The values of y greater than 127 trigger out of bounds read. As dec64table[] is in the data segment, the OOB access is not detected by tools as valgrind or ASAN. This adds a check to ensure y is less than or equal to 127, just like in other cases where dec64table[] is accessed. Note that removal of the y == 0 condition is not a problem, as dec64table[0] == 255, so the second part of the condition is true. --- diff --git a/src/src/base64.c b/src/src/base64.c index dbbd6a40e..e63522ec4 100644 --- a/src/src/base64.c +++ b/src/src/base64.c @@ -173,7 +173,7 @@ while ((x = *code++) != 0) while (isspace(y = *code++)) ; /* debug_printf("b64d: '%c'\n", y); */ - if (y == 0 || (y = dec64table[y]) == 255) + if (y > 127 || (y = dec64table[y]) == 255) return -1; *result++ = (x << 2) | (y >> 4);