Problem: zmq_z85_decode doesn't check its input length

Solution: do it
2025-03-12 09:06:26 +00:00 · 2020-08-21 16:03:17 +01:00 · 2020-08-21 16:03:17 +01:00 · b84e164698
commit b84e164698
parent f447169e82
2 changed files with 8 additions and 0 deletions
--- a/3
+++ b/3
@ -55,6 +55,9 @@
 * ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather
  than using the first byte of the payload.

+* zmq_z85_decode now checks that the input string's length is at least 5 characters
+  and always a multiple of 5 as per API specification.
+
 * Fixed #3566 - malformed CURVE message can cause memory leak

 * Fixed #3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only
--- a/src/zmq_utils.cpp
+++ b/src/zmq_utils.cpp
@ -166,6 +166,11 @@ uint8_t *zmq_z85_decode (uint8_t *dest_, const char *string_)
    unsigned int byte_nbr = 0;
    unsigned int char_nbr = 0;
    uint32_t value = 0;
+    size_t src_len = strlen (string_);
+
+    if (src_len < 5 || src_len % 5 != 0)
+        goto error_inval;
+
    while (string_[char_nbr]) {
        //  Accumulate value in base 85
        if (UINT32_MAX / 85 < value) {