buffer overrun in base64Encode for small buffers

[alex-zadara]

base64Encode expects an output buffer whose size is ((4 * (inLen + 1)) / 3) bytes, as per comment. But for the input buffer of size 16, it overruns it. For the input buffer of size 16, the output buffer should be: ((4 * (16 + 1)) / 3) = 22 bytes. But in this case, base64Encode returns output length of 24 bytes, overrunning the input buffer. The following C code demonstrates it:

#define SRC_LEN 16
#define B64_LEN(n) (((n) + 1) * 4) / 3

int main(void)
{
    unsigned char in_buff[SRC_LEN] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
    const unsigned int b64len = B64_LEN(SRC_LEN);
    char b64[B64_LEN(SRC_LEN) + 16] = {'\0'};
    unsigned int outLen = 0;

    printf("b64len = %u\n", b64len);
    printf("Before encoding b64[%u]=0x%X\n", b64len, b64[b64len]);
    outLen = base64Encode(in_buff, 16, b64);
    printf("After encoding outLen=%u, b64[%u]=0x%X\n", outLen, b64len, b64[b64len]);
    return 0;  
}

The output is:

b64len = 22
Before encoding b64[22]=0x0
After encoding outLen=24, b64[22]=0x3D

base64Encode should only touch bytes from b64[0] to b64[21] (because the required length is supposed to be 22). But it clearly touches b64[22] as well, thus overrunning the output buffer (should its length was as per the comment).

Note that for larger input sizes (like 20), this problem does not happen:

b64len = 28
Before encoding b64[28]=0x0
After encoding outLen=24, b64[28]=0x0

Here base64Encode uses only 24 bytes out of 28 bytes.