Possible integer overflows in base32_encode, base32_decode
doors reports that the loop-termination comparisons in base32_encode
and base32_decode
compare indices of type unsigned int
with bounds of type size_t
. The loops will never terminate if the upper bounds are greater than UINT_MAX
.
I see two other, more direct integer overflows in those functions:
In base32_encode
:
size_t nbits = srclen * 8;
In base32_decode
:
size_t nbits;
...
nbits = srclen * 5;
In both functions, srclen
is a parameter of type size_t
.