Patch base64_patch for Strings related Bug #80870

Patch version 2021-04-13 14:55 UTC

• 2021-04-13 14:55 UTC [diff to current]

Developer: bugs@jth.net

--- /usr/src/other/php/php-8.0.3/./ext/standard/base64.c	2021-03-02 17:37:06.000000000 +0100
+++ /usr/src/other/php/php-8.0.3j/./ext/standard/base64.c	2021-03-31 15:00:33.749393871 +0200
@@ -259,11 +259,41 @@
 #endif
 
 	/* run through the whole string, converting as we go */
-	while (inl-- > 0) {
-		ch = *in++;
+	while (inl > 0) {
+		ch = *in++; inl--; /* inl is unsigned, don't use inl-- > 0 possibly causing overflow to large int */
 		if (ch == base64_pad) {
+			/* RFC 4648: The extra 65th character, "=", is used to signify a special processing function.
+			   We have reached the end of a base64 block. "=" is not an unknown character. */
 			padding++;
-			continue;
+			/* proper padding is one or two chars and all extra padding chars immediately following are stripped */
+			while (inl > 0) {
+				ch = *in++; inl--;
+				if (ch == base64_pad) {
+					padding++;
+				} else {
+					break;
+				}
+			}
+
+			/* fail if the input is truncated (only one char in last group) */
+			if (strict && i % 4 == 1) {
+				goto fail;
+			}
+
+			/* padding found, fail if the padding length is wrong (not VV==, VVV=) */
+			if (strict && (padding > 2 || (i + padding) % 4 != 0)) {
+				goto fail;
+			}
+
+			if (inl > 0) {
+				/* ch is the first char of a new block.
+				   As the padding char signifies processing at a block end,
+				   we must start from fresh in the possible next block */
+				i=0; padding = 0;
+			} else {
+				/* end of string found */
+				continue;
+			}
 		}
 
 		ch = base64_reverse_table[ch];