From 568a1967cea07157f73cab49db1d8eb2e2a9c88f Mon Sep 17 00:00:00 2001
From: Sauw Ming <ming@teluu.com>
Date: Thu, 4 May 2017 05:22:44 +0000
Subject: [PATCH] Re #1994 (misc): Fixes bugs in base64  * move access to input
 parameter variable after the assertion to check the variable.  * prevent
 invalid memory access for empty input string  * allow using an output buffer
 of just the right size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Thanks to Adrien Béraud for the patch



git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@5589 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjlib-util/src/pjlib-util/base64.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pjlib-util/src/pjlib-util/base64.c b/pjlib-util/src/pjlib-util/base64.c
index 42d0e47e1..13e69df16 100644
--- a/pjlib-util/src/pjlib-util/base64.c
+++ b/pjlib-util/src/pjlib-util/base64.c
@@ -124,14 +124,16 @@ PJ_DEF(pj_status_t) pj_base64_encode(const pj_uint8_t *input, int in_len,
 PJ_DEF(pj_status_t) pj_base64_decode(const pj_str_t *input, 
 				     pj_uint8_t *out, int *out_len)
 {
-    const char *buf = input->ptr;
-    int len = (int)input->slen;
+    const char *buf;
+    int len;
     int i, j, k;
     int c[4];
 
     PJ_ASSERT_RETURN(input && out && out_len, PJ_EINVAL);
 
-    while (buf[len-1] == '=' && len)
+    buf = input->ptr;
+    len = (int)input->slen;
+    while (len && buf[len-1] == '=')
 	--len;
 
     PJ_ASSERT_RETURN(*out_len >= PJ_BASE64_TO_BASE256_LEN(len), 
@@ -161,7 +163,7 @@ PJ_DEF(pj_status_t) pj_base64_decode(const pj_str_t *input,
 	out[j++] = (pj_uint8_t)(((c[2] & 0x03)<<6) | (c[3] & 0x3F));
     }
 
-    pj_assert(j < *out_len);
+    pj_assert(j <= *out_len);
     *out_len = j;
 
     return PJ_SUCCESS;