Merge branch fix-base64-arithmetic-overflows

Fix potential integer overflows in the function mbedtls_base64_decode(). This overflow would mainly be exploitable in 32-bit systems and could cause buffer bound checks to be bypassed.
2024-11-23 15:15:41 +01:00 · 2017-02-02 09:15:05 +00:00 · 2017-02-02 09:15:05 +00:00 · 8cf6d31f54
commit 8cf6d31f54
parent 0289920d12 3e3698ca30
2 changed files with 3 additions and 1 deletions
--- a/2
+++ b/2
@ -9,6 +9,8 @@ Bugfix
     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
   * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
+   * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
+     cause buffer bound checks to be bypassed. Found by Eyal Itkin.

 = mbed TLS 1.3.18 branch 2016-10-17

--- a/library/base64.c
+++ b/library/base64.c
@ -198,7 +198,7 @@ int base64_decode( unsigned char *dst, size_t *dlen,
        return( 0 );
    }

-    n = ( ( n * 6 ) + 7 ) >> 3;
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
    n -= j;

    if( dst == NULL || *dlen < n )