Merge branch fix-base64-arithmetic-overflows

Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
This commit is contained in:
Simon Butcher 2017-02-02 08:53:03 +00:00
commit 69654cd91b
2 changed files with 3 additions and 1 deletions

View File

@ -9,6 +9,8 @@ Bugfix
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
cause buffer bound checks to be bypassed. Found by Eyal Itkin.
= mbed TLS 2.4.1 branch released 2016-12-13

View File

@ -192,7 +192,7 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
return( 0 );
}
n = ( ( n * 6 ) + 7 ) >> 3;
n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
n -= j;
if( dst == NULL || dlen < n )