apr/backport-apr_decode_base-64-32-16-stop-reading-before-not-inc.patch

From e70d77ecc4aa9e0dccac6e7e5ba74639f71f50cf Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 27 Nov 2020 17:04:06 +0000
Subject: [PATCH] apr_decode_base{64,32,16}: stop reading before (not
 including) NUL byte.

git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1883870 13f79535-47bb-0310-9956-ffa450edef68
---
 encoding/apr_encode.c | 60 ++++++++++++++++++++++++++++++-------------
 test/testencode.c     | 24 ++++++++++++-----
 2 files changed, 59 insertions(+), 25 deletions(-)

diff --git a/encoding/apr_encode.c b/encoding/apr_encode.c
index b3278c7fd..bc2dc5437 100644
--- a/encoding/apr_encode.c
+++ b/encoding/apr_encode.c
@@ -394,11 +394,15 @@ APR_DECLARE(apr_status_t) apr_decode_base64(char *dest, const char *src,
         apr_status_t status;
 
         bufin = (const unsigned char *)src;
-        while (pr2six[*(bufin++)] < 64 && count)
+        while (count && pr2six[*bufin] < 64) {
             count--;
-        nprbytes = (bufin - (const unsigned char *)src) - 1;
-        while (pr2six[*(bufin++)] > 64 && count)
+            bufin++;
+        }
+        nprbytes = bufin - (const unsigned char *)src;
+        while (count && pr2six[*bufin] > 64) {
             count--;
+            bufin++;
+        }
 
         status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
             count ? APR_BADCH : APR_SUCCESS;
@@ -469,11 +473,15 @@ APR_DECLARE(apr_status_t) apr_decode_base64_binary(unsigned char *dest,
         apr_status_t status;
 
         bufin = (const unsigned char *)src;
-        while (pr2six[*(bufin++)] < 64 && count)
+        while (count && pr2six[*bufin] < 64) {
             count--;
-        nprbytes = (bufin - (const unsigned char *)src) - 1;
-        while (pr2six[*(bufin++)] > 64 && count)
+            bufin++;
+        }
+        nprbytes = bufin - (const unsigned char *)src;
+        while (count && pr2six[*bufin] > 64) {
             count--;
+            bufin++;
+        }
 
         status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
             count ? APR_BADCH : APR_SUCCESS;
@@ -842,11 +850,15 @@ APR_DECLARE(apr_status_t) apr_decode_base32(char *dest, const char *src,
         }
 
         bufin = (const unsigned char *)src;
-        while (pr2[*(bufin++)] < 32 && count)
+        while (count && pr2[*bufin] < 32) {
             count--;
-        nprbytes = (bufin - (const unsigned char *)src) - 1;
-        while (pr2[*(bufin++)] > 32 && count)
+            bufin++;
+        }
+        nprbytes = bufin - (const unsigned char *)src;
+        while (count && pr2[*bufin] > 32) {
             count--;
+            bufin++;
+        }
 
         status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
             count ? APR_BADCH : APR_SUCCESS;
@@ -945,11 +957,15 @@ APR_DECLARE(apr_status_t) apr_decode_base32_binary(unsigned char *dest,
         }
 
         bufin = (const unsigned char *)src;
-        while (pr2[*(bufin++)] < 32 && count)
+        while (count && pr2[*bufin] < 32) {
             count--;
-        nprbytes = (bufin - (const unsigned char *)src) - 1;
-        while (pr2[*(bufin++)] > 32 && count)
+            bufin++;
+        }
+        nprbytes = bufin - (const unsigned char *)src;
+        while (count && pr2[*bufin] > 32) {
             count--;
+            bufin++;
+        }
 
         status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
             count ? APR_BADCH : APR_SUCCESS;
@@ -1220,11 +1236,15 @@ APR_DECLARE(apr_status_t) apr_decode_base16(char *dest,
 
     count = slen;
     bufin = (const unsigned char *)src;
-    while (pr2two[*(bufin++)] != 16 && count)
+    while (count && pr2two[*bufin] != 16) {
         count--;
-    nprbytes = (bufin - (const unsigned char *)src) - 1;
-    while (pr2two[*(bufin++)] > 16 && count)
+        bufin++;
+    }
+    nprbytes = bufin - (const unsigned char *)src;
+    while (count && pr2two[*bufin] > 16) {
         count--;
+        bufin++;
+    }
 
     status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
         count ? APR_BADCH : APR_SUCCESS;
@@ -1310,11 +1330,15 @@ APR_DECLARE(apr_status_t) apr_decode_base16_binary(unsigned char *dest,
 
     count = slen;
     bufin = (const unsigned char *)src;
-    while (pr2two[*(bufin++)] != 16 && count)
+    while (count && pr2two[*bufin] != 16) {
         count--;
-    nprbytes = (bufin - (const unsigned char *)src) - 1;
-    while (pr2two[*(bufin++)] > 16 && count)
+        bufin++;
+    }
+    nprbytes = bufin - (const unsigned char *)src;
+    while (count && pr2two[*bufin] > 16) {
         count--;
+        bufin++;
+    }
 
     status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
         count ? APR_BADCH : APR_SUCCESS;
diff --git a/test/testencode.c b/test/testencode.c
index 3680fa380..ba23aaf28 100644
--- a/test/testencode.c
+++ b/test/testencode.c
@@ -134,37 +134,42 @@ static void test_decode_base64(abts_case * tc, void *data)
     src = "";
     target = "";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     src = "Zg==";
     target = "f";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
+
+    src = "Zg=";
+    target = "f";
+    dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     src = "Zg";
     target = "f";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     src = "Zm8=";
     target = "fo";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     src = "Zm8";
     target = "fo";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     src = "Zm9v";
     target = "foo";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     src = "Zm9v";
     target = "foo";
     dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
-    ABTS_STR_EQUAL(tc, dest, target);
+    ABTS_STR_EQUAL(tc, target, dest);
 
     apr_pool_destroy(pool);
 }
@@ -191,6 +196,11 @@ static void test_decode_base64_binary(abts_case * tc, void *data)
     ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);
     ABTS_INT_EQUAL(tc, len, 1);
 
+    src = "Zg=";
+    udest = apr_pdecode_base64_binary(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
+    ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);
+    ABTS_INT_EQUAL(tc, len, 1);
+
     src = "Zg";
     udest = apr_pdecode_base64_binary(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
     ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);
-- 
2.27.0
Fix CVE-2022-24963 2023-02-13 11:33:22 +08:00			`From e70d77ecc4aa9e0dccac6e7e5ba74639f71f50cf Mon Sep 17 00:00:00 2001`
			`From: Yann Ylavic <ylavic@apache.org>`
			`Date: Fri, 27 Nov 2020 17:04:06 +0000`
			`Subject: [PATCH] apr_decode_base{64,32,16}: stop reading before (not`
			`including) NUL byte.`

			`git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1883870 13f79535-47bb-0310-9956-ffa450edef68`
			`---`
			`encoding/apr_encode.c \| 60 ++++++++++++++++++++++++++++++-------------`
			`test/testencode.c \| 24 ++++++++++++-----`
			`2 files changed, 59 insertions(+), 25 deletions(-)`

			`diff --git a/encoding/apr_encode.c b/encoding/apr_encode.c`
			`index b3278c7fd..bc2dc5437 100644`
			`--- a/encoding/apr_encode.c`
			`+++ b/encoding/apr_encode.c`
			`@@ -394,11 +394,15 @@ APR_DECLARE(apr_status_t) apr_decode_base64(char dest, const char src,`
			`apr_status_t status;`

			`bufin = (const unsigned char *)src;`
			`- while (pr2six[*(bufin++)] < 64 && count)`
			`+ while (count && pr2six[*bufin] < 64) {`
			`count--;`
			`- nprbytes = (bufin - (const unsigned char *)src) - 1;`
			`- while (pr2six[*(bufin++)] > 64 && count)`
			`+ bufin++;`
			`+ }`
			`+ nprbytes = bufin - (const unsigned char *)src;`
			`+ while (count && pr2six[*bufin] > 64) {`
			`count--;`
			`+ bufin++;`
			`+ }`

			`status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :`
			`count ? APR_BADCH : APR_SUCCESS;`
			`@@ -469,11 +473,15 @@ APR_DECLARE(apr_status_t) apr_decode_base64_binary(unsigned char *dest,`
			`apr_status_t status;`

			`bufin = (const unsigned char *)src;`
			`- while (pr2six[*(bufin++)] < 64 && count)`
			`+ while (count && pr2six[*bufin] < 64) {`
			`count--;`
			`- nprbytes = (bufin - (const unsigned char *)src) - 1;`
			`- while (pr2six[*(bufin++)] > 64 && count)`
			`+ bufin++;`
			`+ }`
			`+ nprbytes = bufin - (const unsigned char *)src;`
			`+ while (count && pr2six[*bufin] > 64) {`
			`count--;`
			`+ bufin++;`
			`+ }`

			`status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :`
			`count ? APR_BADCH : APR_SUCCESS;`
			`@@ -842,11 +850,15 @@ APR_DECLARE(apr_status_t) apr_decode_base32(char dest, const char src,`
			`}`

			`bufin = (const unsigned char *)src;`
			`- while (pr2[*(bufin++)] < 32 && count)`
			`+ while (count && pr2[*bufin] < 32) {`
			`count--;`
			`- nprbytes = (bufin - (const unsigned char *)src) - 1;`
			`- while (pr2[*(bufin++)] > 32 && count)`
			`+ bufin++;`
			`+ }`
			`+ nprbytes = bufin - (const unsigned char *)src;`
			`+ while (count && pr2[*bufin] > 32) {`
			`count--;`
			`+ bufin++;`
			`+ }`

			`status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :`
			`count ? APR_BADCH : APR_SUCCESS;`
			`@@ -945,11 +957,15 @@ APR_DECLARE(apr_status_t) apr_decode_base32_binary(unsigned char *dest,`
			`}`

			`bufin = (const unsigned char *)src;`
			`- while (pr2[*(bufin++)] < 32 && count)`
			`+ while (count && pr2[*bufin] < 32) {`
			`count--;`
			`- nprbytes = (bufin - (const unsigned char *)src) - 1;`
			`- while (pr2[*(bufin++)] > 32 && count)`
			`+ bufin++;`
			`+ }`
			`+ nprbytes = bufin - (const unsigned char *)src;`
			`+ while (count && pr2[*bufin] > 32) {`
			`count--;`
			`+ bufin++;`
			`+ }`

			`status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :`
			`count ? APR_BADCH : APR_SUCCESS;`
			`@@ -1220,11 +1236,15 @@ APR_DECLARE(apr_status_t) apr_decode_base16(char *dest,`

			`count = slen;`
			`bufin = (const unsigned char *)src;`
			`- while (pr2two[*(bufin++)] != 16 && count)`
			`+ while (count && pr2two[*bufin] != 16) {`
			`count--;`
			`- nprbytes = (bufin - (const unsigned char *)src) - 1;`
			`- while (pr2two[*(bufin++)] > 16 && count)`
			`+ bufin++;`
			`+ }`
			`+ nprbytes = bufin - (const unsigned char *)src;`
			`+ while (count && pr2two[*bufin] > 16) {`
			`count--;`
			`+ bufin++;`
			`+ }`

			`status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :`
			`count ? APR_BADCH : APR_SUCCESS;`
			`@@ -1310,11 +1330,15 @@ APR_DECLARE(apr_status_t) apr_decode_base16_binary(unsigned char *dest,`

			`count = slen;`
			`bufin = (const unsigned char *)src;`
			`- while (pr2two[*(bufin++)] != 16 && count)`
			`+ while (count && pr2two[*bufin] != 16) {`
			`count--;`
			`- nprbytes = (bufin - (const unsigned char *)src) - 1;`
			`- while (pr2two[*(bufin++)] > 16 && count)`
			`+ bufin++;`
			`+ }`
			`+ nprbytes = bufin - (const unsigned char *)src;`
			`+ while (count && pr2two[*bufin] > 16) {`
			`count--;`
			`+ bufin++;`
			`+ }`

			`status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :`
			`count ? APR_BADCH : APR_SUCCESS;`
			`diff --git a/test/testencode.c b/test/testencode.c`
			`index 3680fa380..ba23aaf28 100644`
			`--- a/test/testencode.c`
			`+++ b/test/testencode.c`
			`@@ -134,37 +134,42 @@ static void test_decode_base64(abts_case * tc, void *data)`
			`src = "";`
			`target = "";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`src = "Zg==";`
			`target = "f";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`
			`+`
			`+ src = "Zg=";`
			`+ target = "f";`
			`+ dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`src = "Zg";`
			`target = "f";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`src = "Zm8=";`
			`target = "fo";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`src = "Zm8";`
			`target = "fo";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`src = "Zm9v";`
			`target = "foo";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`src = "Zm9v";`
			`target = "foo";`
			`dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`- ABTS_STR_EQUAL(tc, dest, target);`
			`+ ABTS_STR_EQUAL(tc, target, dest);`

			`apr_pool_destroy(pool);`
			`}`
			`@@ -191,6 +196,11 @@ static void test_decode_base64_binary(abts_case * tc, void *data)`
			`ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);`
			`ABTS_INT_EQUAL(tc, len, 1);`

			`+ src = "Zg=";`
			`+ udest = apr_pdecode_base64_binary(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`+ ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);`
			`+ ABTS_INT_EQUAL(tc, len, 1);`
			`+`
			`src = "Zg";`
			`udest = apr_pdecode_base64_binary(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);`
			`ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);`
			`--`
			`2.27.0`