[PATCH v2 1/2] lib/base64: validate before writing in decode tail path

Next message: Josh Law: "[PATCH v2 2/2] lib/base64: fix copy-pasted @padding doc in base64_decode()"
Previous message: buermarc: "Re: [PATCH v3] sysctl: fix check against uninitialized variable in proc_do_large_bitmap"
In reply to: Josh Law: "[PATCH v2 0/2] lib/base64: decode fixes"
Next in thread: Josh Law: "[PATCH v2 2/2] lib/base64: fix copy-pasted @padding doc in base64_decode()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Tue Mar 24 2026 - 18:37:17 EST

The trailing-bytes path in base64_decode() writes a decoded byte to
the output buffer before checking whether the input characters are
valid. If the input is malformed, garbage is written to dst before the
function returns -1.

Move the validity checks before any writes so the output buffer is
left untouched on invalid input.

Fixes: 9c7d3cf94d33 ("lib/base64: rework encode/decode for speed and stricter validation")
Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>
---
lib/base64.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/base64.c b/lib/base64.c
index 41961a444028..20dacee25f65 100644
--- a/lib/base64.c
+++ b/lib/base64.c
@@ -168,15 +168,16 @@ int base64_decode(const char *src, int srclen, u8 *dst, bool padding, enum base6
return -1;

val = (base64_rev_tables[s[0]] << 12) | (base64_rev_tables[s[1]] << 6);
- *bp++ = val >> 10;

if (srclen == 2) {
if (val & 0x800003ff)
return -1;
+ *bp++ = val >> 10;
} else {
val |= base64_rev_tables[s[2]];
if (val & 0x80000003)
return -1;
+ *bp++ = val >> 10;
*bp++ = val >> 2;
}
return bp - dst;
--
2.34.1