Bug #57242 base64 decoder may crash on malformed input
Submitted: 5 Oct 2010 10:31 Modified: 15 Jan 2013 10:47
Reporter: Sven Sandberg Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.1+ OS:Any
Assigned to: CPU Architecture:Any
Tags: base64, base64_decode

[5 Oct 2010 10:31] Sven Sandberg 
Description:
The base64 encoder/decoder is currently used in BINLOG statements and will soon also be accessible as standalone user functions (after WL#5510).

The current implementation of the decoder has several problems:

 - base64_decode() assumes that input does not end prematurely. If input ends after 'XX=' (where a second '=' was expected), it sets endptr to an invalid memory address. This can cause Valgrind errors, and later it can possibly cause invalid memory access in the caller (depending on how endptr is used), which can cause the server to crash.

 - base64_decode()/pos() assumes input is only valid base64-encoded characters. If anything else occurs in the input, the output will depend on the result of (NULL-valid_pointer). This is undefined, so the output will contain bytes of undefined values. This could potentially cause warnings in a memory debugger.

 - The encoder makes a single look-up in a table for each input character, which is good. But base64_decode()/pos() does a linear scan in the same table. It would be much more efficient to use a separate table where it could make a single look-up.

How to repeat:
Read the code.
[5 Oct 2010 10:32] Sven Sandberg 
suggested fix

Attachment: patch-base64.diff (text/x-patch), 11.43 KiB.
[9 Oct 2010 19:40] Sveta Smirnova 
Thank you for the report.

Verified as described. To repeat first 2 cases I created a file with copy of base64_decode definition and run it with different values for src_base.
[18 Oct 2010 21:08] Konstantin Osipov 
Sven, you need to explain how this affects the binlog, and provide a test case.
[15 Jan 2013 10:47] Erlend Dahl 
Not repeatable after the push of WL#5510 to 5.6.2.