bin/47237: mailx(1): Base64 decoder ignores some illegal input

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/47237: mailx(1): Base64 decoder ignores some illegal input
From: sdaoden%gmail.com@localhost
Date: Thu, 22 Nov 2012 20:05:00 +0000 (UTC)

>Number:         47237
>Category:       bin
>Synopsis:       mailx(1): Base64 decoder ignores some illegal input
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 22 20:05:00 +0000 2012
>Originator:     Steffen Nurpmeso
>Release:        mailx(1): mime_codecs.c, v1.9
>Organization:
>Environment:
NetBSD 6.0 (GENERIC) i386
>Description:
The Base64 decoder (i've just replaced the entire layer of my stepchild and 
took your implementation as a base -- thanks!) won't detect illegal input that 
is padded with more than two == PAD characters.
E.g., if the last characters are [=]=== then this is not detected, since *a* 
and *b* are not tested for the special EQU value, but only for the also special 
BAD.
I have no real idea of NetBSD Mail(1), but once i've implanted that code into 
my stepchild i saw an ugly letter-replacement on my UTF-8 terminal (i.e. the 
Base64 output is directly passed through iconv(3) and then ends on the 
terminal).
>How-To-Repeat:
Force a Base64 defect so that more than two EQU pad characters (=) occur.
>Fix:
Diff based on mime_codecs.c,v 1.9 (the X-less git(1) clone is not around).
(And easier would be "a > 64 || b > 64 ||...", but that renders EQU/BAD 
somewhat doomed.)

--- mime_codecs.c.orig  2012-11-20 12:35:08.000000000 +0100
+++ mime_codecs.c       2012-11-20 12:36:24.000000000 +0100
@@ -237,6 +237,10 @@ mime_b64tobin(char *bin, const char *b64
                unsigned c = uchar64(q[2]);
                unsigned d = uchar64(q[3]);
 
+               if (a == BAD || a == EQU || b == BAD || b == EQU ||
+                               c == BAD || d == BAD)
+                       return -1;
+
                *p++ = ((a << 2) | ((b & 0x30) >> 4));
                if (c == EQU)   { /* got '=' */
                        if (d != EQU)
@@ -248,9 +252,6 @@ mime_b64tobin(char *bin, const char *b64
                        break;
                }
                *p++ = (((c & 0x03) << 6) | d);
-
-               if (a == BAD || b == BAD || c == BAD || d == BAD)
-                       return -1;
        }
 
 #undef uchar64

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: kern/47235 (npf: port redirection does not work)
Previous by Thread: kern/47236: hdaudio/mixer initialization badly wrong on Thinkpad X61s
Next by Thread: Re: kern/47235 (npf: port redirection does not work)
Indexes:

Home | Main Index | Thread Index | Old Index