From 8bad34aecc89c5e92012ef1d01b72dce93aa650a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tam=C3=A1s=20Csala?= Date: Tue, 17 Feb 2026 15:30:24 +0100 Subject: [PATCH 1/2] Update Base64DecoderHelper.cs #124513 - Guard Base64Url.DecodeFromChars against non-ASCII input Base64Url.DecodeFromChars in Microsoft.Bcl.Memory has an out-of-bounds read bug: DecodeFrom uses Unsafe.Add with raw char values as indices into a 256-element DecodingMap without checking the DecodeRemaining return value first. Non-ASCII chars (value > ~2048) cause an AccessViolationException on .NET 8. Workaround: Add System.Text.Ascii.IsValid check before decoding to reject non-ASCII input early. Base64/Base64Url only uses ASCII characters, so any non-ASCII input is inherently invalid. See: https://github.com/dotnet/runtime/issues/124513 --- .../System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs b/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs index c94f8dfe9963a7..7c6d47a3493ee7 100644 --- a/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs +++ b/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs @@ -168,6 +168,11 @@ internal static unsafe OperationStatus DecodeFrom(TBase64Deco Debug.Assert(typeof(TBase64Decoder) == typeof(Base64DecoderByte) ? remaining == 4 : remaining < 8); int i0 = decoder.DecodeRemaining(srcEnd, ref decodingMap, remaining, out uint t2, out uint t3); + if (i0 < 0) + { + goto InvalidDataExit; + } + byte* destMax = destBytes + (uint)destLength; if (!decoder.IsValidPadding(t3)) From d52018913f8274fc400b62f3d1903c3aa0f78596 Mon Sep 17 00:00:00 2001 From: "t.csala" Date: Wed, 18 Feb 2026 17:16:35 +0100 Subject: [PATCH 2/2] Add unit test case for documentation --- .../tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/libraries/System.Memory/tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs b/src/libraries/System.Memory/tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs index a455075bb9c7ed..43e950e4686f16 100644 --- a/src/libraries/System.Memory/tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs +++ b/src/libraries/System.Memory/tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs @@ -1,4 +1,4 @@ -// Licensed to the .NET Foundation under one or more agreements. +// Licensed to the .NET Foundation under one or more agreements. // The .NET Foundation licenses this file to you under the MIT license. using System.Collections.Generic; @@ -196,7 +196,8 @@ public static IEnumerable EncodeToStringTests_TestData() } [Theory] - [InlineData("\u5948cz_T", 0, 0)] // scalar code-path + [InlineData("AB\u1000D", 0, 0)] // scalar code-path, non-ASCII char > 255 (https://github.com/dotnet/runtime/issues/124513) + [InlineData("\u5948cz_T", 0, 0)] // scalar code-path [InlineData("z_Ta123\u5948", 4, 3)] [InlineData("\u5948z_T-H7sqEkerqMweH1uSw==", 0, 0)] // Vector128 code-path [InlineData("z_T-H7sqEkerqMweH1uSw\u5948==", 20, 15)]