Hi,
a bug I spotted some weeks ago:
------------------ libexec/httpd/auth-bozo.c l.139 ------------------
base64_decode(const unsigned char *in, size_t ilen, unsigned char *out,
size_t olen)
{
unsigned char *cp;
size_t i;
cp = out;
for (i = 0; i < ilen; i += 4) {
...
}
while (in[i - 1] == '=')
cp--,i--;
return (cp - out);
}
---------------------------------------------------------------------
Here, if ilen=0, 'in' will be accessed at -1. It seems to be
triggerable, since both 'ilen' and 'in' are extracted from received
data.
However it is harmless: it is called by bozo_auth_check_headers(),
and these two variables are sanitized in bozohttpd.c in such a way
that in[-1] is always a valid memory area, always set to ' '.
Still this is fragile.
