Problem: zmq_z85_decode does not validate its input

Solution: added checks for invalid characters and overflows
zeromq · Jan 24, 2017 · 2290552 · 2290552
1 parent 511d701
commit 2290552
Showing 1 changed file with 24 additions and 9 deletions.
diff --git a/src/zmq_utils.cpp b/src/zmq_utils.cpp
@@ -103,19 +103,20 @@ static char encoder [85 + 1] = {
 
 //  Maps base 85 to base 256
 //  We chop off lower 32 and higher 128 ranges
+//  0xFF denotes invalid characters within this range
 static uint8_t decoder [96] = {
-    0x00, 0x44, 0x00, 0x54, 0x53, 0x52, 0x48, 0x00, 
-    0x4B, 0x4C, 0x46, 0x41, 0x00, 0x3F, 0x3E, 0x45, 
+    0xFF, 0x44, 0xFF, 0x54, 0x53, 0x52, 0x48, 0xFF, 
+    0x4B, 0x4C, 0x46, 0x41, 0xFF, 0x3F, 0x3E, 0x45, 
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 
-    0x08, 0x09, 0x40, 0x00, 0x49, 0x42, 0x4A, 0x47, 
+    0x08, 0x09, 0x40, 0xFF, 0x49, 0x42, 0x4A, 0x47, 
     0x51, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 
     0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 
     0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 
-    0x3B, 0x3C, 0x3D, 0x4D, 0x00, 0x4E, 0x43, 0x00, 
-    0x00, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 
+    0x3B, 0x3C, 0x3D, 0x4D, 0xFF, 0x4E, 0x43, 0xFF, 
+    0xFF, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 
     0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 
     0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 
-    0x21, 0x22, 0x23, 0x4F, 0x00, 0x50, 0x00, 0x00
+    0x21, 0x22, 0x23, 0x4F, 0xFF, 0x50, 0xFF, 0xFF
 };
 
 //  --------------------------------------------------------------------------
@@ -161,16 +162,26 @@ char *zmq_z85_encode (char *dest, const uint8_t *data, size_t size)
 uint8_t *zmq_z85_decode (uint8_t *dest, const char *string)
 {
     if (strlen (string) % 5 != 0) {
-        errno = EINVAL;
-        return NULL;
+        goto error_inval;
     }
     unsigned int byte_nbr = 0;
     unsigned int char_nbr = 0;
     size_t string_len = strlen (string);
     uint32_t value = 0;
     while (char_nbr < string_len) {
         //  Accumulate value in base 85
-        value = value * 85 + decoder [(uint8_t) string [char_nbr++] - 32];
+        value *= 85;
+        uint8_t index = string[char_nbr++] - 32;
+        if (index > sizeof(decoder)) {
+            //  Invalid z85 encoding, character outside range
+            goto error_inval;
+        }
+        uint32_t summand = decoder[index];
+        if (value == 0xFF || summand > (UINT32_MAX - value)) {
+            //  Invalid z85 encoding, invalid character or represented value exceeds 0xffffffff
+            goto error_inval;
+        }
+        value += summand;
         if (char_nbr % 5 == 0) {
             //  Output value in base 256
             unsigned int divisor = 256 * 256 * 256;
@@ -183,6 +194,10 @@ uint8_t *zmq_z85_decode (uint8_t *dest, const char *string)
     }
     assert (byte_nbr == strlen (string) * 4 / 5);
     return dest;
+
+error_inval:
+    errno = EINVAL;
+    return NULL;
 }
 
 //  --------------------------------------------------------------------------