[OTR-dev] otrl_base64_otr_decode() function...
Ian Goldberg
ian at cypherpunks.ca
Tue Jul 17 13:30:53 EDT 2012
On Tue, Jul 17, 2012 at 10:15:51AM -0400, Justin Ferguson wrote:
> Surely you guys meant to check that msglen-5 is greater than or equal
> to four lest you receive a msg akin to "?OTR:===." ?
>
> This is a pretty highly utilized code-path with direct hits from
> pidgin's receive im signal. Cheers.
Thanks for the report! It turns out your suggested fix isn't quite good
enough. Here's the fix we just committed:
commit aa8cf9d5e860691943f3fc02ad11432b56c7ae1f
Author: Ian Goldberg <iang at cs.uwaterloo.ca>
Date: Tue Jul 17 13:25:44 2012 -0400
Use ceil instead of floor to compute the size of the data buffer.
This prevents a one-byte heap buffer overflow. Thanks to Justin
Ferguson <jnferguson at gmail.com> for the report.
diff --git a/ChangeLog b/ChangeLog
index f12ce68..7f6e9ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-07-17
+
+ * src/b64.c: Use ceil instead of floor to compute the size
+ of the data buffer. This prevents a one-byte heap buffer
+ overflow. Thanks to Justin Ferguson <jnferguson at gmail.com>
+ for the report.
+
2012-06-21
* src/context.c: A couple bug fixes.
diff --git a/src/b64.c b/src/b64.c
index 8ea2e52..9ed3feb 100644
--- a/src/b64.c
+++ b/src/b64.c
@@ -237,7 +237,7 @@ int otrl_base64_otr_decode(const char *msg, unsigned char **
}
/* Base64-decode the message */
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
+ rawlen = ((msglen-5+3) / 4) * 3; /* maximum possible */
rawmsg = malloc(rawlen);
if (!rawmsg && rawlen > 0) {
return -1;
- Ian
More information about the OTR-dev
mailing list