[maemo-commits] [maemo-commits] r17656 - in projects/haf/trunk/glib: . glib

Thu Mar 12 17:28:18 EET 2009

Author: mitch
Date: 2009-03-12 17:28:14 +0200 (Thu, 12 Mar 2009)
New Revision: 17656

Modified:
   projects/haf/trunk/glib/ChangeLog
   projects/haf/trunk/glib/glib/gbase64.c
Log:
2009-03-12  Michael Natterer  <mitch at imendio.com>

	Merged from upstream:

	* glib/gbase64.c: Avoid integer overflows in the base64
	functions. Fixes CVE-2008-4316



Modified: projects/haf/trunk/glib/ChangeLog
===================================================================

--- projects/haf/trunk/glib/ChangeLog	2009-03-12 13:40:55 UTC (rev 17655)
+++ projects/haf/trunk/glib/ChangeLog	2009-03-12 15:28:14 UTC (rev 17656)
@@ -1,3 +1,10 @@
+2009-03-12  Michael Natterer  <mitch at imendio.com>
+
+	Merged from upstream:
+
+	* glib/gbase64.c: Avoid integer overflows in the base64
+	functions. Fixes CVE-2008-4316
+ 
 2008-12-02 17:23:20  Tim Janik  <timj at imendio.com>
 
 	* configure.in: provide flags needed for ARM backtraces for ARM CPUs only.

Modified: projects/haf/trunk/glib/glib/gbase64.c
===================================================================
--- projects/haf/trunk/glib/glib/gbase64.c	2009-03-12 13:40:55 UTC (rev 17655)
+++ projects/haf/trunk/glib/glib/gbase64.c	2009-03-12 15:28:14 UTC (rev 17656)
@@ -54,8 +54,9 @@
  *
  * The output buffer must be large enough to fit all the data that will
  * be written to it. Due to the way base64 encodes you will need
- * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will
- * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes.
+ * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of
+ * non-zero state). If you enable line-breaking you will need at least:
+ * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space.
  *
  * @break_lines is typically used when putting base64-encoded data in emails.
  * It breaks the lines at 72 columns instead of putting all of the text on 
@@ -233,8 +234,14 @@
   g_return_val_if_fail (data != NULL, NULL);
   g_return_val_if_fail (len > 0, NULL);
 
-  /* We can use a smaller limit here, since we know the saved state is 0 */
-  out = g_malloc (len * 4 / 3 + 4);
+  /* We can use a smaller limit here, since we know the saved state is 0,
+     +1 is needed for trailing \0, also check for unlikely integer overflow */
+  if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3)
+    g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)",
+        G_STRLOC, len);
+
+  out = g_malloc ((len / 3 + 1) * 4 + 1);
+
   outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
   outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
   out[outlen] = '\0';
@@ -275,7 +282,8 @@
  *
  * The output buffer must be large enough to fit all the data that will
  * be written to it. Since base64 encodes 3 bytes in 4 chars you need
- * at least: @len * 3 / 4 bytes.
+ * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero
+ * state).
  * 
  * Return value: The number of bytes of output that was written
  *
@@ -358,7 +366,8 @@
 		 gsize       *out_len)
 {
   guchar *ret;
-  gint input_length, state = 0;
+  gsize input_length;
+  gint state = 0;
   guint save = 0;
   
   g_return_val_if_fail (text != NULL, NULL);
@@ -368,7 +377,9 @@
 
   g_return_val_if_fail (input_length > 1, NULL);
 
-  ret = g_malloc0 (input_length * 3 / 4);
+  /* We can use a smaller limit here, since we know the saved state is 0,
+     +1 used to avoid calling g_malloc0(0), and hence retruning NULL */
+  ret = g_malloc0 ((input_length / 4) * 3 + 1);
   
   *out_len = g_base64_decode_step (text, input_length, ret, &state, &save);
   


