@@ -144,6 +144,9 @@ int b64_encode(const void *_src, size_t srclength,
u_char output[4];
size_t i;
+ if (!dest || targsize == 0)
+ return -1;
+
while (2 < srclength) {
input[0] = *src++;
input[1] = *src++;
@@ -208,6 +211,9 @@ int b64_decode(const void *_src, void *dest, size_t targsize)
state = 0;
tarindex = 0;
+ if (!dest || targsize == 0)
+ return -1;
+
while ((ch = (unsigned char)*src++) != '\0') {
if (isspace(ch)) /* Skip whitespace anywhere. */
continue;
@@ -17,8 +17,23 @@ static void test_b64_decode(const char *src)
fprintf(stdout, "%d %s\n", r, dst);
}
+static void test_invalid_inputs()
+{
+ b64_decode(NULL, NULL, 0);
+ b64_decode("Zg==", NULL, 0);
+ b64_decode("Zg==", NULL, 2);
+
+ b64_encode(NULL, 0, NULL, 2);
+ b64_encode(NULL, 2, NULL, 2);
+ b64_encode("foo", 3, NULL, 2);
+ b64_encode("foo", 3, NULL, 0);
+}
+
int main()
{
+
+ test_invalid_inputs();
+
test_b64_encode("");
test_b64_encode("f");
test_b64_encode("fo");
clang-10 analyzer reports following: base64.c:325:20: warning: Array access (from variable 'target') results in a null pointer dereference target[tarindex] = 0; ~~~~~~ ^ and prepared test case confirms it: Invalid write of size 1 at 0x4E4463F: b64_decode (base64.c:325) by 0x40088C: test_invalid_inputs (tests/test-base64.c:26) by 0x40088C: main (tests/test-base64.c:32) Address 0x1 is not stack'd, malloc'd or (recently) free'd Process terminating with default action of signal 11 (SIGSEGV) Access not within mapped region at address 0x1 at 0x4E4463F: b64_decode (base64.c:325) by 0x40088C: test_invalid_inputs (tests/test-base64.c:26) by 0x40088C: main (tests/test-base64.c:32) Signed-off-by: Petr Štetiar <ynezz@true.cz> --- base64.c | 6 ++++++ tests/test-base64.c | 15 +++++++++++++++ 2 files changed, 21 insertions(+)