Re: [kan@dcit.cz: bugs in lib/base64.c]

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Mon, 2 Jul 2001 09:07:30 -0600 (MDT)

Pavel Kankovsky wrote:

> If the input text is long enough, the loop will be executed for
> (out_cnt, char_count) = (0, 0), (0, 1), (0, 2), (0, 3), (4, 0),
> ..., (BASE64_RESULT_SZ-4, 2), and (BASE64_RESULT_SZ-4, 3). After
> the last mentioned iteration, the loop will terminated because
> out_cnt will be equal to BASE64_RESULT_SZ (8192). When this
> happens, the last quoted command will zero a byte that lies *OUT*
> of space allocated for result, probably corrupting the value of
> another static variable in BSS.

I agree that there is a bug.

> Proposed fix: Replace "out_cnt < sizeof(result) - 1" condition
> with "out_cnt < sizeof(result) - 5" in base64_encode().

The loop in base64_encode() modifies four result[] bytes starting
with out_cnt. Terminating code modifies the fifth byte starting with
out_cnt. (out_cnt + 4) points to the fifth byte starting with out_cnt.
Thus checking for
        out_cnt + 4 < sizeof(result)
or
        out_cnt < sizeof(result) - 4
should be sufficient.

Alex.
Received on Mon Jul 02 2001 - 09:07:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST