From patchwork Thu Aug 23 10:39:30 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikael Eliasson <mikael@robomagi.com>
X-Patchwork-Id: 961274
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.136; helo=silver.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=robomagi.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=robomagi-com.20150623.gappssmtp.com
	header.i=@robomagi-com.20150623.gappssmtp.com
	header.b="Ibe102Y1"; dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41x1C42wcTz9s3C
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Thu, 23 Aug 2018 20:40:15 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 07FF8221AF;
	Thu, 23 Aug 2018 10:40:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ilwncYyVBkTq; Thu, 23 Aug 2018 10:40:11 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by silver.osuosl.org (Postfix) with ESMTP id 4A07C2221A;
	Thu, 23 Aug 2018 10:40:11 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id 18CAD1C0D3F
	for <buildroot@lists.busybox.net>;
	Thu, 23 Aug 2018 10:40:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 1639287697
	for <buildroot@lists.busybox.net>;
	Thu, 23 Aug 2018 10:40:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id yn7N83DKV8kW for <buildroot@lists.busybox.net>;
	Thu, 23 Aug 2018 10:40:09 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com
	[209.85.167.66])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 8B3F5874C0
	for <buildroot@buildroot.org>; Thu, 23 Aug 2018 10:40:09 +0000 (UTC)
Received: by mail-lf1-f66.google.com with SMTP id j8-v6so3709568lfb.4
	for <buildroot@buildroot.org>; Thu, 23 Aug 2018 03:40:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=robomagi-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=27AaAcLEYFJ6uMGI0t5AYmOELQSrbuWVL2a/wBZQum0=;
	b=Ibe102Y1H2a/KzWW/O5MsTh8nztP0yaXzWYQvWI0fBqFtjrNut6pKeIvuGSCrTfEYc
	+qhWzpOWHg9tfiDcYFx2BDBfPSHetzWjo83khhHJ/Qxv6OF60rhlN65b+K5qAnMOsBtd
	FhQ3T0hJvQbFZqwRHGwiqCUGdnv4bBw/1hE2RVyV3DVvF3ZmidRwnQx7/d/4c2CKFNXg
	MBM769/y5c9rS9wC2umGR092sm5fsEzSjffQQbZHRDrKz0g7kG1LliCC7ADHHJfU78mx
	iDenyovKmUENlXv7iKjLNoTxcQUKc2cpMDEFMv7G1i87i1aSLoivOP4zbN+rkMtxSiBW
	xXTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=27AaAcLEYFJ6uMGI0t5AYmOELQSrbuWVL2a/wBZQum0=;
	b=GzIMiCbHPo9noXwSJlLqnJcAMkwIIoy9DQjdkwSsBkeSwws/M3PxoZyE9XhgMDJdA9
	pp4YNM2wiDd+7LCdbBZpP4l6dnqAzgUMCtmIC/MQTp/4ElzFcuQESIwdTi88mhUN1D/V
	BzwKAEbtdMykXU/nA5vJrSHW9fUnGCx6k0IJHCA8H1uBt9ViGK0+sHrMsvcFtq/4iJ6l
	VH+xN8yVotw0C8/LFqXMeXXxNs3VIo5qCxYKnR5rtHFZTbtU+4ghnLI+q0DEvN2BdqtO
	lYM3CuVz/iP5bGZaYG/n86F0SFWxdWUqPBxcst+UbMO+iG5K1FBSvlv+OLLOUV27JZ2d
	dZZQ==
X-Gm-Message-State: AOUpUlFSsI4SnHG3W52YMFkHk6LMsKGu+KZkov1FBsKCM8W/0wZzAAOW
	Iltk00OgEjHVbZjAb3RCueLXrENTCAc=
X-Google-Smtp-Source: 
 AA+uWPzZzUVwC/tWG7jNi+PLk4ukgIDCbPnCMaAUclGkpHBrra0OxmNWJ0IJbUUa3bdUAOGYA6Bdiw==
X-Received: by 2002:a19:2c89:: with SMTP id
	s131-v6mr8322761lfs.43.1535020806170;
	Thu, 23 Aug 2018 03:40:06 -0700 (PDT)
Received: from localhost.localdomain ([85.238.219.25])
	by smtp.gmail.com with ESMTPSA id
	d10-v6sm750831lfk.63.2018.08.23.03.40.05
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 23 Aug 2018 03:40:05 -0700 (PDT)
From: Mikael Eliasson <mikael@robomagi.com>
To: buildroot@buildroot.org
Date: Thu, 23 Aug 2018 12:39:30 +0200
Message-Id: <20180823103930.5112-1-mikael@robomagi.com>
X-Mailer: git-send-email 2.17.1
Subject: [Buildroot] [PATCH 6/6] libb64: Fix integer overflow and
	uninitialized C++ objects.
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.24
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Mikael Eliasson <mikael@robomagi.com>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Signed-off-by: Mikael Eliasson <mikael@robomagi.com>
---
 package/libb64/0001-Integer-overflows.patch | 68 +++++++++++++++++++++
 package/libb64/libb64.hash                  |  1 +
 package/libb64/libb64.mk                    |  1 +
 3 files changed, 70 insertions(+)
 create mode 100644 package/libb64/0001-Integer-overflows.patch

diff --git a/package/libb64/0001-Integer-overflows.patch b/package/libb64/0001-Integer-overflows.patch
new file mode 100644
index 0000000000..ea25bb7dd3
--- /dev/null
+++ b/package/libb64/0001-Integer-overflows.patch
@@ -0,0 +1,68 @@
+Fix integer overflows.
+Fetch from: https://sources.debian.org/patches/libb64/1.2-5/
+Combined "integer overflows.diff" and "off by one.diff" and adapted for version 1.2.1.
+
+Signed-off-by: Mikael Eliasson <mikael@robomagi.com>
+diff --git a/src/cdecode.c b/src/cdecode.c
+index a6c0a42..45da4e1 100644
+--- a/src/cdecode.c
++++ b/src/cdecode.c
+@@ -9,10 +9,11 @@ For details, see http://sourceforge.net/projects/libb64
+ 
+ int base64_decode_value(char value_in)
+ {
+-	static const char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
++	static const signed char decoding[] = {62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-2,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51};
+ 	static const char decoding_size = sizeof(decoding);
++	if (value_in < 43) return -1;
+ 	value_in -= 43;
+-	if (value_in < 0 || value_in >= decoding_size) return -1;
++	if (value_in >= decoding_size) return -1;
+ 	return decoding[(int)value_in];
+ }
+ 
+@@ -26,7 +27,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex
+ {
+ 	const char* codechar = code_in;
+ 	char* plainchar = plaintext_out;
+-	char fragment;
++	int fragment;
+ 	
+ 	*plainchar = state_in->plainchar;
+ 	
+@@ -42,7 +43,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex
+ 					state_in->plainchar = *plainchar;
+ 					return plainchar - plaintext_out;
+ 				}
+-				fragment = (char)base64_decode_value(*codechar++);
++				fragment = base64_decode_value(*codechar++);
+ 			} while (fragment < 0);
+ 			*plainchar    = (fragment & 0x03f) << 2;
+ 	case step_b:
+@@ -53,7 +54,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex
+ 					state_in->plainchar = *plainchar;
+ 					return plainchar - plaintext_out;
+ 				}
+-				fragment = (char)base64_decode_value(*codechar++);
++				fragment = base64_decode_value(*codechar++);
+ 			} while (fragment < 0);
+ 			*plainchar++ |= (fragment & 0x030) >> 4;
+ 			*plainchar    = (fragment & 0x00f) << 4;
+@@ -65,7 +66,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex
+ 					state_in->plainchar = *plainchar;
+ 					return plainchar - plaintext_out;
+ 				}
+-				fragment = (char)base64_decode_value(*codechar++);
++				fragment = base64_decode_value(*codechar++);
+ 			} while (fragment < 0);
+ 			*plainchar++ |= (fragment & 0x03c) >> 2;
+ 			*plainchar    = (fragment & 0x003) << 6;
+@@ -77,7 +78,7 @@ int base64_decode_block(const char* code_in, const int length_in, char* plaintex
+ 					state_in->plainchar = *plainchar;
+ 					return plainchar - plaintext_out;
+ 				}
+-				fragment = (char)base64_decode_value(*codechar++);
++				fragment = base64_decode_value(*codechar++);
+ 			} while (fragment < 0);
+ 			*plainchar++   |= (fragment & 0x03f);
+ 		}
diff --git a/package/libb64/libb64.hash b/package/libb64/libb64.hash
index 0ed8065f12..f3a997cac6 100644
--- a/package/libb64/libb64.hash
+++ b/package/libb64/libb64.hash
@@ -1,6 +1,7 @@
 # sha1 from sourceforge, sha256 locally computed
 sha1  04b3e21b8c951d27f02fe91249ca3474554af0b9  libb64-1.2.1.zip
 sha256  20106f0ba95cfd9c35a13c71206643e3fb3e46512df3e2efb2fdbf87116314b2  libb64-1.2.1.zip
+sha256	e969d00eb18fbd2d0a2e09b293f118afc70d9ced121b55743d764e849c4fecac  initialize-coder-state.diff
 
 # Hash for license file:
 sha256  834b7afa1b3c40289a3be775d3625016be1c0d7ea7a4a26c1eb207f53dc961d8  LICENSE
diff --git a/package/libb64/libb64.mk b/package/libb64/libb64.mk
index ed6d3cf4b4..c18921502b 100644
--- a/package/libb64/libb64.mk
+++ b/package/libb64/libb64.mk
@@ -7,6 +7,7 @@
 LIBB64_VERSION = 1.2.1
 LIBB64_SOURCE = libb64-$(LIBB64_VERSION).zip
 LIBB64_SITE = https://downloads.sourceforge.net/project/libb64/libb64/libb64
+LIBB64_PATCH = https://sources.debian.org/data/main/libb/libb64/1.2-5/debian/patches/initialize-coder-state.diff
 LIBB64_LICENSE = Public Domain
 LIBB64_LICENSE_FILES = LICENSE
 LIBB64_INSTALL_STAGING = YES