diff options
author | Tobias Brunner <tobias@strongswan.org> | 2017-05-04 16:16:33 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-05-23 18:29:12 +0200 |
commit | aed77b096191f395e347c4aa00cbb7797c03d0f6 (patch) | |
tree | 5cee5c43d0dbaf159e91b1fdc63a7313eb04f29b | |
parent | f5aef3a02028fa986e80187872656b52b3249a6a (diff) | |
download | strongswan-aed77b096191f395e347c4aa00cbb7797c03d0f6.tar.bz2 strongswan-aed77b096191f395e347c4aa00cbb7797c03d0f6.tar.xz |
chunk: Correctly parse Base64 text where four = follow in a row
That's not correct Base64 but invalid data could trigger this. Since
outlen would get reduced four times, but is only ever increased three
times per iteration, this could result in an integer underflow and then
a potential buffer overflow.
-rw-r--r-- | src/libstrongswan/utils/chunk.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c index 0c50ab788..8f4b7efff 100644 --- a/src/libstrongswan/utils/chunk.c +++ b/src/libstrongswan/utils/chunk.c @@ -643,7 +643,7 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf) outlen += 3; for (j = 0; j < 4; j++) { - if (*pos == '=') + if (*pos == '=' && outlen > 0) { outlen--; } |