diff mbox series

[OpenWrt-Devel,libubox,5/9] base64: b64_decode: fix possible null pointer dereference

Message ID 20191120115926.23272-6-ynezz@true.cz
State Superseded
Headers show
Series fixes, some unit tests and GitLab CI | expand

Commit Message

Petr Štetiar Nov. 20, 2019, 11:59 a.m. UTC
clang-10 analyzer reports following:

 base64.c:325:20: warning: Array access (from variable 'target') results in a null pointer dereference
                 target[tarindex] = 0;
                 ~~~~~~           ^

and prepared test case confirms it:

 Invalid write of size 1
    at 0x4E4463F: b64_decode (base64.c:325)
    by 0x40088C: test_invalid_inputs (tests/test-base64.c:26)
    by 0x40088C: main (tests/test-base64.c:32)
  Address 0x1 is not stack'd, malloc'd or (recently) free'd

 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x1
    at 0x4E4463F: b64_decode (base64.c:325)
    by 0x40088C: test_invalid_inputs (tests/test-base64.c:26)
    by 0x40088C: main (tests/test-base64.c:32)

Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
 base64.c            |  6 ++++++
 tests/test-base64.c | 15 +++++++++++++++
 2 files changed, 21 insertions(+)
diff mbox series

Patch

diff --git a/base64.c b/base64.c
index 4759ede01e7c..d9f4112179f3 100644
--- a/base64.c
+++ b/base64.c
@@ -144,6 +144,9 @@  int b64_encode(const void *_src, size_t srclength,
 	u_char output[4];
 	size_t i;
 
+	if (!dest || targsize == 0)
+		return -1;
+
 	while (2 < srclength) {
 		input[0] = *src++;
 		input[1] = *src++;
@@ -208,6 +211,9 @@  int b64_decode(const void *_src, void *dest, size_t targsize)
 	state = 0;
 	tarindex = 0;
 
+	if (!dest || targsize == 0)
+		return -1;
+
 	while ((ch = (unsigned char)*src++) != '\0') {
 		if (isspace(ch))	/* Skip whitespace anywhere. */
 			continue;
diff --git a/tests/test-base64.c b/tests/test-base64.c
index c29b4e2c73a3..415fc5969c53 100644
--- a/tests/test-base64.c
+++ b/tests/test-base64.c
@@ -17,8 +17,23 @@  static void test_b64_decode(const char *src)
 	fprintf(stdout, "%d %s\n", r, dst);
 }
 
+static void test_invalid_inputs()
+{
+	b64_decode(NULL, NULL, 0);
+	b64_decode("Zg==", NULL, 0);
+	b64_decode("Zg==", NULL, 2);
+
+	b64_encode(NULL, 0, NULL, 2);
+	b64_encode(NULL, 2, NULL, 2);
+	b64_encode("foo", 3, NULL, 2);
+	b64_encode("foo", 3, NULL, 0);
+}
+
 int main()
 {
+
+	test_invalid_inputs();
+
 	test_b64_encode("");
 	test_b64_encode("f");
 	test_b64_encode("fo");