sceBase64Decoder bug

[djhuevo]

sceBase64Decoder return the number of bytes sucefully decoded, you can send a bad formed base64 buffer to make the function return a minor number, only libhttp seems to use base64, I think the only form of send base64 stuff to an http client is with md5-sess.

Code: Select all

#include <stdio.h>

unsigned char tabla&#91;256&#93; = &#123;
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3E, 0xFF, 0xFF, 0xFF, 0x3F, 
	0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0xFF, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 
	0xFF, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 
	0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 
	0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 
	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
&#125;;

int sceBaseDecoder&#40;unsigned char *decbytes, unsigned char *encbuf, int length&#41; &#123;
    char encbytes&#91;4&#93;;
    int count=0;

    unsigned int decword;

    if&#40;length==0&#41; return 0;
    
    do &#123;
       if&#40;encbuf&#91;2&#93;==0x3d&#41; count--;
       if&#40;encbuf&#91;3&#93;==0x3d&#41; count--;
           
       encbytes&#91;0&#93;=tabla&#91;encbuf&#91;0&#93;&#93;;
       encbytes&#91;1&#93;=tabla&#91;encbuf&#91;1&#93;&#93;;
       encbytes&#91;2&#93;=tabla&#91;encbuf&#91;2&#93;&#93;;
       encbytes&#91;3&#93;=tabla&#91;encbuf&#91;3&#93;&#93;;
       
       if&#40;encbytes&#91;0&#93;<0 || encbytes&#91;1&#93;<0 || encbytes&#91;2&#93;<0 || encbytes&#91;3&#93;<0&#41; return -1;
       
       decword=encbytes&#91;0&#93;<<18|encbytes&#91;1&#93;<<12|encbytes&#91;2&#93;<<6|encbytes&#91;3&#93;;
       
       decbytes&#91;0&#93;=decword>>16;
       decbytes&#91;1&#93;=decword>>8;
       decbytes&#91;2&#93;=decword;
       
       encbuf+=4;
       decbytes+=3;
       count+=3;
       length-=4;       
    &#125; while&#40;length>0&#41;;
    
    decbytes&#91;0&#93;=0x00;
    return count;
&#125;

#define COMPORTAMIENTO_NORMAL

#ifdef COMPORTAMIENTO_NORMAL
unsigned char encstr&#91;&#93;="RWwgYXN1bnRvIGVzIHF1ZSBsYSBmdW5jaW9uIHNjZUJhc2U2NERlY29kZXIgcmV0b3JuYSAoZW4gdGVvcmlhKSBlbCBsYXJnbyBlbiBxdWUgcXVlZGEgZWwgc3RyaW5nIGRlY29kaWZpY2FkbywgcGVybyByZXZpc2FuZG8gZWwgY29kaWdvIGV4aXN0ZSB1bmEgZm9ybWEgcGFyYSBxdWUgcmV0b3JuZSB1biBudW1lcm8gbWVub3IgYWwgbGFyZ28gZGUgbG9zIGRhdG9zIHF1ZSBsbGVuYXJvbiBlbCBidWZmZXIsIGVudG9uY2VzIHRlbmVtb3MgcXVlIGVsIGJ1ZmZlciBlcyBtYXMgbGFyZ28gcXVlIGVsIG51bWVybyBxdWUgcmV0b3JuYSBsYSBmdW5jaW9uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uZXN0ZSBlcyB1biBleHBsb2l0IHF1ZSBtZSBwZXJtaXRlIGV4ZWN1dGFyIGVsZiBjYXNlcm9zIGVuIFBTUCA6cA==";
#else
unsigned char encstr&#91;&#93;="RW=gYX=1bn=vIG=zIH=1ZS=sYS=mdW=jaW=uIH=jZU=hc2=2NE=lY2=kZX=gcm=0b3=uYS=oZW=gdG=vcm=hKS=lbC=sYX=nby=lbi=xdW=gcX=lZG=gZW=gc3=yaW=nIG=lY2=kaW=pY2=kby=gcG=yby=yZX=pc2=uZG=gZW=gY2=kaW=vIG=4aX=0ZS=1bm=gZm=ybW=gcG=yYS=xdW=gcm=0b3=uZS=1bi=udW=lcm=gbW=ub3=gYW=gbG=yZ2=gZG=gbG=zIG=hdG=zIH=1ZS=sbG=uYX=vbi=lbC=idW=mZX=sIG=udG=uY2=zIH=lbm=tb3=gcX=lIG=sIG=1Zm=lci=lcy=tYX=gbG=yZ2=gcX=lIG=sIG=1bW=yby=xdW=gcm=0b3=uYS=sYS=mdW=jaW=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uLi=uZXN0ZSBlcyB1biBleHBsb2l0IHF1ZSBtZSBwZXJtaXRlIGV4ZWN1dGFyIGVsZiBjYXNlcm9zIGVuIFBTUCA6cA==";
#endif

unsigned char buf0&#91;0x1000&#93;;

int main&#40;&#41; &#123;
    printf&#40;"codificado&#58; %d\ndecodificado &#40;deberia ser esto, hasta esto -2&#41;&#58; %d\nen la actualidad es&#58; %d\n\n",sizeof&#40;encstr&#41;-1, &#40;sizeof&#40;encstr&#41;+1&#41;/4*3, sceBaseDecoder&#40;buf0, encstr, sizeof&#40;encstr&#41;-1&#41;&#41;;
    printf&#40;"base64 decodificado&#58; %s\n", buf0&#41;;   
    return 0;
&#125;