Bug 1037683 - opensc: base64 decoder assumes signed chars
Summary: opensc: base64 decoder assumes signed chars
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks: 1036175
TreeView+ depends on / blocked
 
Reported: 2013-12-03 15:21 UTC by Florian Weimer
Modified: 2015-08-26 14:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-26 14:37:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Florian Weimer 2013-12-03 15:21:35 UTC 
The function from_base64() in src/libopensc/base64.c assumes signed chars.  With unsigned chars, bin_table can be indexed out of bounds:

static int from_base64(const char *in, unsigned int *out, int *skip)
{
	unsigned int res = 0, c, s = 18;
	const char *in0 = in;
	
	for (c = 0; c < 4; c++, in++) {
		u8 b;
		int k = *in;
		
		if (k < 0)
			return -1;
		if (k == 0 && c == 0)
			return 0;
		b = bin_table[k];


The exact impact of this bug depends on the image layout chosen by the linker.  bin_table should end up in the text section, so no information leak is expected, and the worst that could happen is likely a crash.
Comment 4 Nikos Mavrogiannopoulos 2014-06-05 09:41:58 UTC 
Created upstream pull request.
https://github.com/OpenSC/OpenSC/pull/246
Note You need to log in before you can comment on or make changes to this bug.