[OTR-dev] otrl_base64_otr_decode() function...

Ian Goldberg ian at cypherpunks.ca
Tue Jul 17 13:30:53 EDT 2012


On Tue, Jul 17, 2012 at 10:15:51AM -0400, Justin Ferguson wrote:
> Surely you guys meant to check that msglen-5 is greater than or equal
> to four lest you receive a msg akin to "?OTR:===." ?
> 
> This is a pretty highly utilized code-path with direct hits from
> pidgin's receive im signal. Cheers.

Thanks for the report!  It turns out your suggested fix isn't quite good
enough.  Here's the fix we just committed:

commit aa8cf9d5e860691943f3fc02ad11432b56c7ae1f
Author: Ian Goldberg <iang at cs.uwaterloo.ca>
Date:   Tue Jul 17 13:25:44 2012 -0400

    Use ceil instead of floor to compute the size of the data buffer.
    
    This prevents a one-byte heap buffer overflow.  Thanks to Justin
    Ferguson <jnferguson at gmail.com> for the report.

diff --git a/ChangeLog b/ChangeLog
index f12ce68..7f6e9ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-07-17
+
+       * src/b64.c: Use ceil instead of floor to compute the size
+       of the data buffer.  This prevents a one-byte heap buffer
+       overflow.  Thanks to Justin Ferguson <jnferguson at gmail.com>
+       for the report.
+
 2012-06-21
 
        * src/context.c: A couple bug fixes.
diff --git a/src/b64.c b/src/b64.c
index 8ea2e52..9ed3feb 100644
--- a/src/b64.c
+++ b/src/b64.c
@@ -237,7 +237,7 @@ int otrl_base64_otr_decode(const char *msg, unsigned char **
     }
 
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = ((msglen-5+3) / 4) * 3;   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
        return -1;


   - Ian



More information about the OTR-dev mailing list