From 3e3698ca307b0991c573a007e0d773b48c83e862 Mon Sep 17 00:00:00 2001
From: Andres AG <andres.amayagarcia@arm.com>
Date: Wed, 18 Jan 2017 17:21:03 +0000
Subject: [PATCH] Fix integer overflow in mbedtls_base64_decode()

Fix potential integer overflows in the function mbedtls_base64_decode().
This overflow would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
---
 ChangeLog        | 6 ++++++
 library/base64.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index d4cf85b7e..124d056fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 1.x.x branch released xxxx-xx-xx
+
+Bugfix
+   * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
+     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
+
 = mbed TLS 1.3.18 branch 2016-10-17
 
 Security
diff --git a/library/base64.c b/library/base64.c
index 7de87e51c..3de67f090 100644
--- a/library/base64.c
+++ b/library/base64.c
@@ -198,7 +198,7 @@ int base64_decode( unsigned char *dst, size_t *dlen,
         return( 0 );
     }
 
-    n = ( ( n * 6 ) + 7 ) >> 3;
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
     n -= j;
 
     if( dst == NULL || *dlen < n )