On Mon, 2 Jul 2001, Alex Rousskov wrote:
> Pavel Kankovsky wrote:
>
> > The condition in base64_decode() ("j + 3 < BASE64_RESULT_SZ") is
> > slighly broken too. It should add 4 rather than 3 in order to
> > guarantee enough space for a new chunk of data as well as the
> > terminator).
>
> I am not sure this assessment is accurate.
[...]
> Outside of the loop, we modify result[j] (i.e., result[j0+3]). Thus,
> we need to make sure than j0+3 is less than BASE64_RESULT_SZ. This is
> exactly what the existing loop condition checks for.
[...]
> > Proposed fix: Replace "out_cnt < sizeof(result) - 1" condition
> > with "out_cnt < sizeof(result) - 5" in base64_encode().
>
> The loop in base64_encode() modifies four result[] bytes starting
> with out_cnt. Terminating code modifies the fifth byte starting with
> out_cnt. (out_cnt + 4) points to the fifth byte starting with out_cnt.
> Thus checking for
> out_cnt + 4 < sizeof(result)
> or
> out_cnt < sizeof(result) - 4
> should be sufficient.
I guess you are right in both cases. I must have had one of those
days when you interpret all <'s as <='s when I wrote the bug
report. :b I apologize.
-- Pavel Kankovsky, DCIT s.r.o., J. Martiho 2/407, 160 41 Praha 6, CZ tel (+420 2) 3536 3342, fax (+420 2) 3536 1543, url http://www.dcit.cz/Received on Tue Jul 03 2001 - 02:00:38 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST