Fix integer overflow in mbedtls_base64_decode()

Fix potential integer overflows in the function mbedtls_base64_decode(). This overflow would mainly be exploitable in 32-bit systems and could cause buffer bound checks to be bypassed.
2024-11-23 17:15:48 +01:00 · 2017-01-18 17:21:03 +00:00 · 2017-01-18 17:21:03 +00:00 · 81d126f923
commit 81d126f923
parent 016a0d3b6f
2 changed files with 7 additions and 1 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS 2.x.x branch released xxxx-xx-xx
+
+Bugfix
+   * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
+     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
+
 = mbed TLS 2.1.6 branch released 2016-10-17

 Security
--- a/library/base64.c
+++ b/library/base64.c
@ -192,7 +192,7 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
        return( 0 );
    }

-    n = ( ( n * 6 ) + 7 ) >> 3;
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
    n -= j;

    if( dst == NULL || dlen < n )