Maxime Villard writes:
> Hi,
> a bug I spotted some weeks ago:
>
> ------------------ libexec/httpd/auth-bozo.c l.139 ------------------
> base64_decode(const unsigned char *in, size_t ilen, unsigned char *out,
> size_t olen)
> {
> unsigned char *cp;
> size_t i;
>
> cp = out;
> for (i = 0; i < ilen; i += 4) {
> ...
> }
> while (in[i - 1] == '=')
> cp--,i--;
> return (cp - out);
> }
> ---------------------------------------------------------------------
>
> Here, if ilen=0, 'in' will be accessed at -1. It seems to be
> triggerable, since both 'ilen' and 'in' are extracted from received
> data.
>
> However it is harmless: it is called by bozo_auth_check_headers(),
> and these two variables are sanitized in bozohttpd.c in such a way
> that in[-1] is always a valid memory area, always set to ' '.
>
> Still this is fragile.
thanks. i've commited a fix.
.mrg.
