packages/apr-util
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
apr-util/backport-CVE-2022-25147-apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch

160 lines
5.1 KiB
Diff
Raw Normal View History

Fix CVE-2022-25147
2023-02-14 11:10:43 +08:00
From 850cc4f69639ac9f1c1c9767efaf4883ee3217ce Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Thu, 23 Jun 2022 15:12:47 +0000
Subject: [PATCH] apr_base64: Make sure encoding/decoding lengths fit in an int
>= 0.
The (old) API of apr_base64 functions has always used int for representing
lengths and it does not return errors. Make sure to abort() if the provided
data don't fit.
* encoding/apr_base64.c():
#define APR_BASE64_ENCODE_MAX and APR_BASE64_DECODE_MAX as the hard length
limits for encoding and decoding respectively.
* encoding/apr_base64.c(apr_base64_encode_len, apr_base64_encode,
apr_base64_encode_binary, apr_pbase64_encode):
abort() if the given length is above APR_BASE64_ENCODE_MAX.
* encoding/apr_base64.c(apr_base64_decode_len, apr_base64_decode,
apr_base64_decode_binary, apr_pbase64_decode):
abort() if the given plain buffer length is above APR_BASE64_DECODE_MAX.
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1902206 13f79535-47bb-0310-9956-ffa450edef68
---
encoding/apr_base64.c | 46 ++++++++++++++++++++++++++-----------------
1 file changed, 28 insertions(+), 18 deletions(-)
diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c
index b4b28cf75..f5c2786ad 100644
--- a/encoding/apr_base64.c
+++ b/encoding/apr_base64.c
@@ -20,11 +20,20 @@
* ugly 'len' functions, which is quite a nasty cost.
*/
+#undef NDEBUG /* always abort() on assert()ion failure */
+#include <assert.h>
+
#include "apr_base64.h"
#if APR_CHARSET_EBCDIC
#include "apr_xlate.h"
#endif /* APR_CHARSET_EBCDIC */
+/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
+#define APR_BASE64_ENCODE_MAX 1610612733
+
+/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
+#define APR_BASE64_DECODE_MAX 2863311524u
+
/* aaaack but it's fast and const should make it shared text page. */
static const unsigned char pr2six[256] =
{
@@ -109,24 +118,22 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii,
APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
{
- int nbytesdecoded;
register const unsigned char *bufin;
register apr_size_t nprbytes;
bufin = (const unsigned char *) bufcoded;
while (pr2six[*(bufin++)] <= 63);
-
nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
+ assert(nprbytes <= APR_BASE64_DECODE_MAX);
- return nbytesdecoded + 1;
+ return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
}
APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
{
#if APR_CHARSET_EBCDIC
apr_size_t inbytes_left, outbytes_left;
-#endif /* APR_CHARSET_EBCDIC */
+#endif /* APR_CHARSET_EBCDIC */
int len;
len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
@@ -154,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
bufin = (const unsigned char *) bufcoded;
while (pr2six[*(bufin++)] <= 63);
nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
+ assert(nprbytes <= APR_BASE64_DECODE_MAX);
+ nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
bufout = (unsigned char *) bufplain;
bufin = (const unsigned char *) bufcoded;
- while (nprbytes > 4) {
+ while (nprbytes >= 4) {
*(bufout++) =
(unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
*(bufout++) =
@@ -179,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
*(bufout++) =
(unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
}
- if (nprbytes > 3) {
- *(bufout++) =
- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
- }
- nbytesdecoded -= (4 - (int)nprbytes) & 3;
- return nbytesdecoded;
+ return nbytesdecoded - (int)((4u - nprbytes) & 3u);
}
static const char basis_64[] =
@@ -203,6 +206,8 @@ static const char basis_64[] =
APU_DECLARE(int) apr_base64_encode_len(int len)
{
+ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
return ((len + 2) / 3 * 4) + 1;
}
@@ -214,6 +219,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
int i;
char *p;
+ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
p = encoded;
for (i = 0; i < len - 2; i += 3) {
*p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
@@ -238,7 +245,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
}
*p++ = '\0';
- return p - encoded;
+ return (unsigned int)(p - encoded);
#endif /* APR_CHARSET_EBCDIC */
}
@@ -251,6 +258,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
int i;
char *p;
+ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
p = encoded;
for (i = 0; i < len - 2; i += 3) {
*p++ = basis_64[(string[i] >> 2) & 0x3F];
@@ -275,5 +284,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
}
*p++ = '\0';
- return (int)(p - encoded);
+ return (unsigned int)(p - encoded);
}
--
2.27.0
Reference in New Issue Copy Permalink