Skip to content

base64: fix out-of-bounds write in htp_base64_decode#461

Open
zhangjy1014 wants to merge 1 commit intoOISF:0.5.xfrom
zhangjy1014:fix-issue-458
Open

base64: fix out-of-bounds write in htp_base64_decode#461
zhangjy1014 wants to merge 1 commit intoOISF:0.5.xfrom
zhangjy1014:fix-issue-458

Conversation

@zhangjy1014
Copy link

@zhangjy1014 zhangjy1014 commented Feb 12, 2026

The htp_base64_decode function previously performed a write to the output buffer (*plainchar) to store the partial result of the next byte before verifying if the output buffer had sufficient space. This resulted in a heap-buffer-overflow when the provided output buffer was undersized or exactly full.

This patch fixes the issue by:

  1. Moving the partial byte assignment after the buffer length check.
  2. Correctly updating the decoder state (decoder->step and decoder->plainchar) when the buffer limit is reached, ensuring the state is preserved without writing out-of-bounds.

Fixes #458

This patch is generated by ASKRepair, an agentic automated vulnerability repair framework

@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 12, 2026

Hi @catenacyber, please take a look

@catenacyber
Copy link
Contributor

catenacyber commented Feb 12, 2026

Thanks for the work.
Could we have some tests for the different cases ?

@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 13, 2026

Hi @catenacyber, thanks for your review, I've added several tests. The patched version passes all of them, while the unpatched version triggers an ASan error on each of them.

catenacyber
catenacyber reviewed Feb 16, 2026
View reviewed changes
htp/htp_base64.c
*plainchar++ |= (fragment & 0x030) >> 4;
*plainchar = (unsigned char) ((fragment & 0x00f) << 4);
if (--length_out == 0) {
decoder->step = step_c;
Copy link
Contributor

@catenacyber catenacyber Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this line ? It looks like the tests still pass without it...

@catenacyber
Copy link
Contributor

catenacyber commented Feb 18, 2026

Could you squash together all the commits ?
Otherwise, looks good to me

@zhangjy1014
The htp_base64_decode function previously performed a write to the ou…
6cb45cb 
…tput buffer (*plainchar) to store the partial result of the next byte before verifying if the output buffer had sufficient space. This resulted in a heap-buffer-overflow when the provided output buffer was undersized or exactly full.

This patch fixes the issue by:

Moving the partial byte assignment after the buffer length check.
Correctly updating the decoder state (decoder->step and decoder->plainchar) when the buffer limit is reached, ensuring the state is preserved without writing out-of-bounds.
Fixes OISF#458

This patch is generated by ASKRepair, an agentic automated vulnerability repair framework
@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 18, 2026

Could you squash together all the commits ? Otherwise, looks good to me

squashed, thanks!

@zhangjy1014
Copy link
Author

zhangjy1014 commented Feb 26, 2026

Since this fixes an out-of-bounds write issue, could you help merge it when convenient?
Thanks again @catenacyber !

@catenacyber
Copy link
Contributor

catenacyber commented Mar 1, 2026

The commit message should be updated : the first line should be much shorter: like base64: fix bounds checks
(sorry I forgot to review this earlier)

As for merging, I do not know, you can see I have #460 pending as well ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@catenacyber catenacyber catenacyber left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Out-of-bounds write in htp_base64_decode

2 participants

@zhangjy1014 @catenacyber