base64: Added basic validation to base64 input string when decoding

A base64 string should be a multiple of 4 characters in length, not contain any more than 2 padding characters and only contain padding characters at the end of string. For example: Y3VybA== Strings such as the following are considered invalid: Y= - Invalid length Y== - Invalid length Y=== - More than two padding characters Y=x= - Padding character contained within string
2013-10-30 07:31:22 +00:00 · 2013-10-30 07:31:22 +00:00 · e17c1b25bc
parent 7d1eb66cd7
commit e17c1b25bc
2 changed files with 33 additions and 6 deletions
--- a/lib/base64.c
+++ b/lib/base64.c
@ -82,6 +82,7 @@ static void decodeQuantum(unsigned char *dest, const char *src)
 CURLcode Curl_base64_decode(const char *src,
                            unsigned char **outptr, size_t *outlen)
 {
+  size_t srcLen = 0;
  size_t length = 0;
  size_t equalsTerm = 0;
  size_t i;
@ -92,21 +93,31 @@ CURLcode Curl_base64_decode(const char *src,

  *outptr = NULL;
  *outlen = 0;
+  srcLen = strlen(src);

+  /* Check the length of the input string is valid */
+  if(!srcLen || srcLen % 4)
+    return CURLE_BAD_CONTENT_ENCODING;
+
+  /* Find the position of any = padding characters */
  while((src[length] != '=') && src[length])
    length++;
+
  /* A maximum of two = padding characters is allowed */
  if(src[length] == '=') {
    equalsTerm++;
    if(src[length+equalsTerm] == '=')
      equalsTerm++;
  }
+  
+  /* Check the = padding characters weren't part way through the input */
+  if(length + equalsTerm != srcLen)
+    return CURLE_BAD_CONTENT_ENCODING;
+
+  /* Calculate the number of quantums */
  numQuantums = (length + equalsTerm) / 4;

-  /* Don't allocate a buffer if the decoded length is 0 */
-  if(numQuantums == 0)
-    return CURLE_OK;
-
+  /* Calculate the size of the decoded string */
  rawlen = (numQuantums * 3) - equalsTerm;

  /* The buffer must be large enough to make room for the last quantum
--- a/tests/unit/unit1302.c
+++ b/tests/unit/unit1302.c
@ -104,11 +104,27 @@ fail_unless(size == 1, "size should be 1");
 verify_memory(decoded, "i", 2);
 Curl_safefree(decoded);

-/* this is an illegal input */
+/* This is illegal input as the data is too short */
 size = 1; /* not zero */
 decoded = &anychar; /* not NULL */
 rc = Curl_base64_decode("aQ", &decoded, &size);
-/* return code indiferent, but output shall be as follows */
+fail_unless(rc == CURLE_BAD_CONTENT_ENCODING, "return code should be CURLE_BAD_CONTENT_ENCODING");
+fail_unless(size == 0, "size should be 0");
+fail_if(decoded, "returned pointer should be NULL");
+
+/* This is illegal input as it contains three padding characters */
+size = 1; /* not zero */
+decoded = &anychar; /* not NULL */
+rc = Curl_base64_decode("a===", &decoded, &size);
+fail_unless(rc == CURLE_BAD_CONTENT_ENCODING, "return code should be CURLE_BAD_CONTENT_ENCODING");
+fail_unless(size == 0, "size should be 0");
+fail_if(decoded, "returned pointer should be NULL");
+
+/* This is illegal input as it contains a padding character mid input */
+size = 1; /* not zero */
+decoded = &anychar; /* not NULL */
+rc = Curl_base64_decode("a=Q=", &decoded, &size);
+fail_unless(rc == CURLE_BAD_CONTENT_ENCODING, "return code should be CURLE_BAD_CONTENT_ENCODING");
 fail_unless(size == 0, "size should be 0");
 fail_if(decoded, "returned pointer should be NULL");