base64: fix possible null pointer dereference
authorPetr Štetiar <ynezz@true.cz>
Tue, 19 Nov 2019 16:16:40 +0000 (17:16 +0100)
committerPetr Štetiar <ynezz@true.cz>
Sun, 24 Nov 2019 12:26:58 +0000 (13:26 +0100)
clang-10 analyzer reports following:

 base64.c:325:20: warning: Array access (from variable 'target') results in a null pointer dereference
                 target[tarindex] = 0;
                 ~~~~~~           ^

and prepared test case confirms it:

 Invalid write of size 1
    at 0x4E4463F: b64_decode (base64.c:325)
    by 0x40088C: test_invalid_inputs (tests/test-base64.c:26)
    by 0x40088C: main (tests/test-base64.c:32)
  Address 0x1 is not stack'd, malloc'd or (recently) free'd

 Process terminating with default action of signal 11 (SIGSEGV)
  Access not within mapped region at address 0x1
    at 0x4E4463F: b64_decode (base64.c:325)
    by 0x40088C: test_invalid_inputs (tests/test-base64.c:26)
    by 0x40088C: main (tests/test-base64.c:32)

Signed-off-by: Petr Štetiar <ynezz@true.cz>
base64.c
tests/cram/test_base64.t
tests/test-b64_decode.c [new file with mode: 0644]
tests/test-b64_encode.c [new file with mode: 0644]

index 4759ede..1bf2177 100644 (file)
--- a/base64.c
+++ b/base64.c
@@ -65,6 +65,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
+#include "assert.h"
 #include "utils.h"
 
 static const char Base64[] =
@@ -144,6 +146,8 @@ int b64_encode(const void *_src, size_t srclength,
        u_char output[4];
        size_t i;
 
+       assert(dest && targsize > 0);
+
        while (2 < srclength) {
                input[0] = *src++;
                input[1] = *src++;
@@ -208,6 +212,8 @@ int b64_decode(const void *_src, void *dest, size_t targsize)
        state = 0;
        tarindex = 0;
 
+       assert(dest && targsize > 0);
+
        while ((ch = (unsigned char)*src++) != '\0') {
                if (isspace(ch))        /* Skip whitespace anywhere. */
                        continue;
index 4f8809f..0a7a9d5 100644 (file)
@@ -19,3 +19,15 @@ check that base64 is producing expected results:
   4 foob
   5 fooba
   6 foobar
+
+check that b64_encode and b64_decode assert invalid input
+
+  $ alias check="egrep '(dumped|Assertion)' | sed 's;.*\(b64_.*code\).*\(Assertion.*$\);\1: \2;' | LC_ALL=C sort"
+
+  $ test-b64_decode 2>&1 | check
+  Aborted (core dumped)
+  b64_decode: Assertion `dest && targsize > 0' failed.
+
+  $ test-b64_encode 2>&1 | check
+  Aborted (core dumped)
+  b64_encode: Assertion `dest && targsize > 0' failed.
diff --git a/tests/test-b64_decode.c b/tests/test-b64_decode.c
new file mode 100644 (file)
index 0000000..4798fa8
--- /dev/null
@@ -0,0 +1,7 @@
+#include "utils.h"
+
+int main()
+{
+       b64_decode("Zg==", NULL, 2);
+       return 0;
+}
diff --git a/tests/test-b64_encode.c b/tests/test-b64_encode.c
new file mode 100644 (file)
index 0000000..5f011e5
--- /dev/null
@@ -0,0 +1,7 @@
+#include "utils.h"
+
+int main()
+{
+       b64_encode("foo", 3, NULL, 2);
+       return 0;
+}