Pavel Kankovsky wrote:
> If the input text is long enough, the loop will be executed for
> (out_cnt, char_count) = (0, 0), (0, 1), (0, 2), (0, 3), (4, 0),
> ..., (BASE64_RESULT_SZ-4, 2), and (BASE64_RESULT_SZ-4, 3). After
> the last mentioned iteration, the loop will terminated because
> out_cnt will be equal to BASE64_RESULT_SZ (8192). When this
> happens, the last quoted command will zero a byte that lies *OUT*
> of space allocated for result, probably corrupting the value of
> another static variable in BSS.
I agree that there is a bug.
> Proposed fix: Replace "out_cnt < sizeof(result) - 1" condition
> with "out_cnt < sizeof(result) - 5" in base64_encode().
The loop in base64_encode() modifies four result[] bytes starting
with out_cnt. Terminating code modifies the fifth byte starting with
out_cnt. (out_cnt + 4) points to the fifth byte starting with out_cnt.
Thus checking for
out_cnt + 4 < sizeof(result)
or
out_cnt < sizeof(result) - 4
should be sufficient.
Alex.
Received on Mon Jul 02 2001 - 09:07:34 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST