Skip to content

Commit 8b5ecd2

Browse files
committed
Check for invalid input in encrypted buffers
The ECB Blowfish decryption function assumed that encrypted input would always come in blocks of 12 characters, as specified. However, buggy clients or annoying people may not adhere to that assumption, causing the core to crash while trying to process the invalid base64 input. With this commit we make sure that we're not overstepping the bounds of the input string while decoding it; instead we bail out early and display the original input. Fixes #1314. Thanks to Tucos for finding that one!
1 parent d6888a6 commit 8b5ecd2

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

Diff for: src/core/cipher.cpp

+10-1
Original file line numberDiff line numberDiff line change
@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
364364
}
365365
else
366366
{
367+
// ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
368+
if ((temp.length() % 12) != 0)
369+
return cipherText;
370+
367371
temp = b64ToByte(temp);
368372
while ((temp.length() % 8) != 0) temp.append('\0');
369373
}
@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
376380
if (!cipher.ok())
377381
return cipherText;
378382

379-
if (direction)
383+
if (direction) {
384+
// Sanity check
385+
if ((temp2.length() % 8) != 0)
386+
return cipherText;
387+
380388
temp2 = byteToB64(temp2);
389+
}
381390

382391
return temp2;
383392
}

0 commit comments

Comments
 (0)