File apr-util-CVE-2022-25147.patch of Package libapr-util1

Overview Repositories Revisions Requests Users Attributes Meta

File apr-util-CVE-2022-25147.patch of Package libapr-util1

Index: apr-util-1.6.1/encoding/apr_base64.c
===================================================================
--- apr-util-1.6.1.orig/encoding/apr_base64.c
+++ apr-util-1.6.1/encoding/apr_base64.c
@@ -20,11 +20,20 @@
  * ugly 'len' functions, which is quite a nasty cost.
  */
 
+#undef NDEBUG /* always abort() on assert()ion failure */
+#include <assert.h>
+
 #include "apr_base64.h"
 #if APR_CHARSET_EBCDIC
 #include "apr_xlate.h"
 #endif				/* APR_CHARSET_EBCDIC */
 
+/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
+#define APR_BASE64_ENCODE_MAX 1610612733
+
+/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
+#define APR_BASE64_DECODE_MAX 2863311524u
+
 /* aaaack but it's fast and const should make it shared text page. */
 static const unsigned char pr2six[256] =
 {
@@ -109,24 +118,22 @@ APU_DECLARE(apr_status_t) apr_base64init
 
 APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
 {
-    int nbytesdecoded;
     register const unsigned char *bufin;
     register apr_size_t nprbytes;
 
     bufin = (const unsigned char *) bufcoded;
     while (pr2six[*(bufin++)] <= 63);
-
     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
+    assert(nprbytes <= APR_BASE64_DECODE_MAX);
 
-    return nbytesdecoded + 1;
+    return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
 }
 
 APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
 {
 #if APR_CHARSET_EBCDIC
     apr_size_t inbytes_left, outbytes_left;
-#endif				/* APR_CHARSET_EBCDIC */
+#endif /* APR_CHARSET_EBCDIC */
     int len;
     
     len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
@@ -143,7 +150,7 @@ APU_DECLARE(int) apr_base64_decode(char
  * the conversion of the output to ebcdic is left out.
  */
 APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
-				   const char *bufcoded)
+                                          const char *bufcoded)
 {
     int nbytesdecoded;
     register const unsigned char *bufin;
@@ -153,12 +160,13 @@ APU_DECLARE(int) apr_base64_decode_binar
     bufin = (const unsigned char *) bufcoded;
     while (pr2six[*(bufin++)] <= 63);
     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
+    assert(nprbytes <= APR_BASE64_DECODE_MAX);
+    nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
 
     bufout = (unsigned char *) bufplain;
     bufin = (const unsigned char *) bufcoded;
 
-    while (nprbytes > 4) {
+    while (nprbytes >= 4) {
 	*(bufout++) =
 	    (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
 	*(bufout++) =
@@ -178,13 +186,8 @@ APU_DECLARE(int) apr_base64_decode_binar
 	*(bufout++) =
 	    (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
     }
-    if (nprbytes > 3) {
-	*(bufout++) =
-	    (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
-    }
 
-    nbytesdecoded -= (4 - (int)nprbytes) & 3;
-    return nbytesdecoded;
+    return nbytesdecoded - (int)((4u - nprbytes) & 3u);
 }
 
 static const char basis_64[] =
@@ -192,6 +195,8 @@ static const char basis_64[] =
 
 APU_DECLARE(int) apr_base64_encode_len(int len)
 {
+    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
     return ((len + 2) / 3 * 4) + 1;
 }
 
@@ -203,6 +208,8 @@ APU_DECLARE(int) apr_base64_encode(char
     int i;
     char *p;
 
+    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
     p = encoded;
     for (i = 0; i < len - 2; i += 3) {
 	*p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
@@ -227,7 +234,7 @@ APU_DECLARE(int) apr_base64_encode(char
     }
 
     *p++ = '\0';
-    return p - encoded;
+    return (unsigned int)(p - encoded);
 #endif				/* APR_CHARSET_EBCDIC */
 }
 
@@ -240,6 +247,8 @@ APU_DECLARE(int) apr_base64_encode_binar
     int i;
     char *p;
 
+    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
     p = encoded;
     for (i = 0; i < len - 2; i += 3) {
 	*p++ = basis_64[(string[i] >> 2) & 0x3F];
@@ -264,5 +273,5 @@ APU_DECLARE(int) apr_base64_encode_binar
     }
 
     *p++ = '\0';
-    return (int)(p - encoded);
+    return (unsigned int)(p - encoded);
 }

Places

File apr-util-CVE-2022-25147.patch of Package libapr-util1

Places