From: Alexander Larsson <alexl@redhat.com>
Date: Thu, 4 May 2006 15:53:36 +0000 (+0000)
Subject: Fix OOB write (#340538)
X-Git-Url: http://git.openbox.org/?a=commitdiff_plain;h=ac059df75b2f713256432cceb0fe48df022aa5e0;p=dana%2Fcg-glib.git

Fix OOB write (#340538)

2006-05-04  Alexander Larsson  <alexl@redhat.com>

	* glib/gbase64.c: (g_base64_decode_step):
	Fix OOB write (#340538)
---

diff --git a/ChangeLog b/ChangeLog
index 2e8d7a82..af1edf50 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2006-05-04  Alexander Larsson  <alexl@redhat.com>
+
+	* glib/gbase64.c: (g_base64_decode_step):
+	Fix OOB write (#340538)
+
 2006-05-03  Matthias Clasen  <mclasen@redhat.com>
 
 	* tests/base64-test.c: Add some more tests.
diff --git a/ChangeLog.pre-2-12 b/ChangeLog.pre-2-12
index 2e8d7a82..af1edf50 100644
--- a/ChangeLog.pre-2-12
+++ b/ChangeLog.pre-2-12
@@ -1,3 +1,8 @@
+2006-05-04  Alexander Larsson  <alexl@redhat.com>
+
+	* glib/gbase64.c: (g_base64_decode_step):
+	Fix OOB write (#340538)
+
 2006-05-03  Matthias Clasen  <mclasen@redhat.com>
 
 	* tests/base64-test.c: Add some more tests.
diff --git a/glib/gbase64.c b/glib/gbase64.c
index 14f20d39..08c1c241 100644
--- a/glib/gbase64.c
+++ b/glib/gbase64.c
@@ -280,7 +280,8 @@ g_base64_decode_step (const gchar  *in,
   const guchar *inptr;
   guchar *outptr;
   const guchar *inend;
-  guchar c;
+  guchar c, rank;
+  guchar last[2];
   unsigned int v;
   int i;
   
@@ -291,18 +292,24 @@ g_base64_decode_step (const gchar  *in,
   v=*save;
   i=*state;
   inptr = (const guchar *)in;
+  last[0] = last[1] = 0;
   while (inptr < inend)
     {
-      c = mime_base64_rank [*inptr++];
-      if (c != 0xff)
+      c = *inptr++;
+      rank = mime_base64_rank [c];
+      if (rank != 0xff)
 	{
-	  v = (v<<6) | c;
+	  last[1] = last[0];
+	  last[0] = c;
+	  v = (v<<6) | rank;
 	  i++;
 	  if (i==4)
 	    {
 	      *outptr++ = v>>16;
-	      *outptr++ = v>>8;
-	      *outptr++ = v;
+	      if (last[1] != '=')
+		*outptr++ = v>>8;
+	      if (last[0] != '=')
+		*outptr++ = v;
 	      i=0;
 	    }
 	}
@@ -311,21 +318,6 @@ g_base64_decode_step (const gchar  *in,
   *save = v;
   *state = i;
   
-  /* quick scan back for '=' on the end somewhere */
-  /* fortunately we can drop 1 output char for each trailing = (upto 2) */
-  i=2;
-  while (inptr > (const guchar *)in && i)
-    {
-      inptr--;
-      if (mime_base64_rank [*inptr] != 0xff)
-	{
-	  if (*inptr == '=')
-	    outptr--;
-	  i--;
-	}
-    }
-
-  /* if i!= 0 then there is a truncation error! */
   return outptr - out;
 }