From be2b335dc24da491d886dfa68d2c35b38f95d59a Mon Sep 17 00:00:00 2001
From: Markus Mohrhard <markus.mohrhard@googlemail.com>
Date: Thu, 14 Aug 2014 01:33:48 +0200
Subject: [PATCH] fix invalid memory access in base64 functions
Boost expects the input to be a multiple of 3 bytes for the encoding and
a multiple of 4 bytes for the decoding. Otherwise it accesses past the
end of the input array. Therefore we now pad with '\0' and replace the
generated 'A' with '='.
---
src/parser/base64.cpp | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/parser/base64.cpp b/src/parser/base64.cpp
index 3d9d770..11ea38e 100644
--- a/src/parser/base64.cpp
+++ b/src/parser/base64.cpp
@@ -49,9 +49,20 @@ void encode_to_base64(const std::vector<char>& input, string& encoded)
if (input.empty())
return;
- string _encoded(to_base64(input.begin()), to_base64(input.end()));
- size_t pad_size = (3 - input.size() % 3) % 3;
- _encoded.append(pad_size, '=');
+ std::vector<char> inp = input;
+ size_t pad_size = (3 - inp.size() % 3) % 3;
+ inp.resize(inp.size() + pad_size);
+
+ string _encoded(to_base64(inp.begin()), to_base64(inp.end()));
+
+ string::reverse_iterator it = _encoded.rbegin();
+ for (size_t i = 0; i < pad_size; ++i, ++it)
+ {
+ // 'A' is a base64 encoding of '\0'
+ // replace them with padding charachters '='
+ if (*it == 'A')
+ *it = '=';
+ }
encoded.swap(_encoded);
}
--
2.3.4