Skip to content
Permalink
Browse files Browse the repository at this point in the history
Check for invalid input in encrypted buffers
The ECB Blowfish decryption function assumed that encrypted input would
always come in blocks of 12 characters, as specified. However, buggy
clients or annoying people may not adhere to that assumption, causing
the core to crash while trying to process the invalid base64 input.

With this commit we make sure that we're not overstepping the bounds of
the input string while decoding it; instead we bail out early and display
the original input. Fixes #1314.

Thanks to Tucos for finding that one!
  • Loading branch information
Sput42 committed Oct 21, 2014
1 parent d6888a6 commit 8b5ecd2
Showing 1 changed file with 10 additions and 1 deletion.
11 changes: 10 additions & 1 deletion src/core/cipher.cpp
Expand Up @@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
}
else
{
// ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
if ((temp.length() % 12) != 0)
return cipherText;

temp = b64ToByte(temp);
while ((temp.length() % 8) != 0) temp.append('\0');
}
Expand All @@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
if (!cipher.ok())
return cipherText;

if (direction)
if (direction) {
// Sanity check
if ((temp2.length() % 8) != 0)
return cipherText;

temp2 = byteToB64(temp2);
}

return temp2;
}
Expand Down

0 comments on commit 8b5ecd2

Please sign in to comment.