Skip to content

base64: fix out-of-bounds write in htp_base64_decode#461

Open
zhangjy1014 wants to merge 1 commit intoOISF:0.5.xfrom
zhangjy1014:fix-issue-458
Open

base64: fix out-of-bounds write in htp_base64_decode#461
zhangjy1014 wants to merge 1 commit intoOISF:0.5.xfrom
zhangjy1014:fix-issue-458

Conversation

@zhangjy1014
Copy link

@zhangjy1014 zhangjy1014 commented Feb 12, 2026

The htp_base64_decode function previously performed a write to the output buffer (*plainchar) to store the partial result of the next byte before verifying if the output buffer had sufficient space. This resulted in a heap-buffer-overflow when the provided output buffer was undersized or exactly full.

This patch fixes the issue by:

  1. Moving the partial byte assignment after the buffer length check.
  2. Correctly updating the decoder state (decoder->step and decoder->plainchar) when the buffer limit is reached, ensuring the state is preserved without writing out-of-bounds.

Fixes #458

This patch is generated by ASKRepair, an agentic automated vulnerability repair framework

@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 12, 2026

Hi @catenacyber, please take a look

@catenacyber
Copy link
Contributor

catenacyber commented Feb 12, 2026

Thanks for the work.
Could we have some tests for the different cases ?

@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 13, 2026

Hi @catenacyber, thanks for your review, I've added several tests. The patched version passes all of them, while the unpatched version triggers an ASan error on each of them.

catenacyber
catenacyber reviewed Feb 16, 2026
View reviewed changes
@catenacyber
Copy link
Contributor

catenacyber commented Feb 18, 2026

Could you squash together all the commits ?
Otherwise, looks good to me

@zhangjy1014
The htp_base64_decode function previously performed a write to the ou…
6cb45cb 
…tput buffer (*plainchar) to store the partial result of the next byte before verifying if the output buffer had sufficient space. This resulted in a heap-buffer-overflow when the provided output buffer was undersized or exactly full.

This patch fixes the issue by:

Moving the partial byte assignment after the buffer length check.
Correctly updating the decoder state (decoder->step and decoder->plainchar) when the buffer limit is reached, ensuring the state is preserved without writing out-of-bounds.
Fixes OISF#458

This patch is generated by ASKRepair, an agentic automated vulnerability repair framework
@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 18, 2026

Could you squash together all the commits ? Otherwise, looks good to me

squashed, thanks!

@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 26, 2026

Since this fixes an out-of-bounds write issue, could you help merge it when convenient?
Thanks again @catenacyber !

@catenacyber
Copy link
Contributor

catenacyber commented Mar 1, 2026

The commit message should be updated : the first line should be much shorter: like base64: fix bounds checks
(sorry I forgot to review this earlier)

As for merging, I do not know, you can see I have #460 pending as well ;-)

catenacyber
catenacyber approved these changes Mar 9, 2026
View reviewed changes
Copy link
Contributor

@catenacyber catenacyber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good for me @victorjulien

@victorjulien victorjulien mentioned this pull request Mar 10, 2026
Closed
jufajardini
jufajardini requested changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see my inline comments, and also please consider Victor (#463 (comment)) and Philippe's feedback on the commit format, it's not following our standard. (you can see c990dc3 for an example)

test/test_utils.cpp
bstr_free(out);
}

// Tests for issue #458: htp_base64_decode out-of-bounds write with undersized output buffer
Copy link
Contributor

@jufajardini jufajardini Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we have this comment, we should also have one indicating where do such tests end. :P

test/test_utils.cpp
Comment on lines +73 to +74
int ret = htp_base64_decode(&dec, in, 4, out, 1);
EXPECT_EQ(1, ret);
Copy link
Contributor

@jufajardini jufajardini Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and in similar calls, can't we simply call htp_base64_decode from EXPECT_EQ as it's done for other tests?

@jufajardini
Copy link
Contributor

jufajardini commented Mar 10, 2026

Since this fixes an out-of-bounds write issue, could you help merge it when convenient? Thanks again @catenacyber !

Thanks for your work, but we need some further improvements to make merging possible :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jufajardini jufajardini jufajardini requested changes

@victorjulien victorjulien victorjulien approved these changes

@catenacyber catenacyber catenacyber approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Out-of-bounds write in htp_base64_decode

4 participants

@zhangjy1014 @catenacyber @jufajardini @victorjulien