diff options
| author | Hans Jerry Illikainen <hji@dyntopia.com> | 2016-12-11 20:17:49 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-12-23 09:47:09 -0500 |
| commit | a23fd1578612051a3ac804c12a629f6a5cfa296e (patch) | |
| tree | 7b64f7ab79efaf2469efefbe60bbcec46f5aed59 /src/common/util_format.c | |
| parent | f3da62dbdfb2057a7c8d5d46367e9d41bdd5b9ec (diff) | |
| download | tor-a23fd1578612051a3ac804c12a629f6a5cfa296e.tar.gz tor-a23fd1578612051a3ac804c12a629f6a5cfa296e.zip | |
Fix unreachable heap corruption in base64_decode()
Give size_mul_check() external linkage and use it in base64_decode() to
avoid a potential integer wrap.
Closes #19222
Diffstat (limited to 'src/common/util_format.c')
| -rw-r--r-- | src/common/util_format.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/common/util_format.c b/src/common/util_format.c index aef9db85c8..6e0a04586a 100644 --- a/src/common/util_format.c +++ b/src/common/util_format.c @@ -398,7 +398,7 @@ base64_decode(char *dest, size_t destlen, const char *src, size_t srclen) * Number of bytes required to hold all bits == (srclen*6)/8. * Yes, we want to round down: anything that hangs over the end of a * byte is padding. */ - if (destlen < (srclen*3)/4) + if (!size_mul_check(srclen, 3) || destlen < (srclen*3)/4) return -1; if (destlen > SIZE_T_CEILING) return -1; |