Base64.Decode: fixed latent bug for invalid input that is less than a block-size

[gfoidl]

Repro:

ReadOnlySpan<byte> base64 = stackalloc byte[] { (byte)'A', (byte)'B', (byte)'C', (byte)'D' };
Span<byte> data = stackalloc byte[128];

base64 = base64[..3];

OperationStatus status = Base64.DecodeFromUtf8(base64, data, out int consumed, out int written);
Console.WriteLine($"status: {status}, consumed: {consumed}, written: {written}");

We fill base64 with four valid base64-bytes, then we slice it to only contain 3 bytes.
Thus decoding should result in InvalidData (which is does) and consumed, written should be both 0, but they are 4, 3 which is wrong, as it's read beyond the valid range.

See #79334 (comment) for an investigation of this 🐛.
As in the loop condition

runtime/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Decoder.cs

Lines 200 to 210 in dca7ee6

	while (src < srcMax)
	{
	int result = Decode(src, ref decodingMap);
	if (result < 0)
	goto InvalidDataExit;
	WriteThreeLowOrderBytes(dest, result);
	src += 4;
	dest += 3;
	}

srcMax is more than int.MaxValue away from src and iff [src, src + 4) contains valid base64 encoded bytes, then it may consume a lot of data outside of valid ranges.

There was a test-hole, as the test BasicDecodingInvalidInputLength has a too big start for the range. Thus a new specific test for this case (input length < BlockSize) got added.

This 🐛 got introduced with dotnet/corefx#34529 (🙈), so it's there since .NET Core 3.1.
And as by accident I know the author of that PR quite well the uint-cast is placed there to avoid a movsxd.

---

The repro above is artificial and constructed to investigate #79334 (comment). In real-world usage it may or may not happen, that depends on the value read base64[3]. If this is by accident valid base64 byte, then the 🐛 manifests.

Even if InvalidData is reported correctly, the real problem is that it's read beyond the given / allowed range.
Since this bug exists for quite some time now and we don't have any bug-reports for this, I don't assume it's critical enough to backport that change.

[ghost]

Tagging subscribers to this area: @dotnet/area-system-memory
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Repro:

ReadOnlySpan<byte> base64 = stackalloc byte[] { (byte)'A', (byte)'B', (byte)'C', (byte)'D' };
Span<byte> data = stackalloc byte[128];

base64 = base64[..3];

OperationStatus status = Base64.DecodeFromUtf8(base64, data, out int consumed, out int written);
Console.WriteLine($"status: {status}, consumed: {consumed}, written: {written}");

We fill base64 with four valid base64-bytes, then we slice it to only contain 3 bytes.
Thus decoding should result in InvalidData (which is does) and consumed, written should be both 0, but they are 4, 3 which is wrong, as it's read beyond the valid range.

See #79334 (comment) for an investigation of this 🐛.
As in the loop condition

runtime/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Decoder.cs

Lines 200 to 210 in dca7ee6

	while (src < srcMax)
	{
	int result = Decode(src, ref decodingMap);
	if (result < 0)
	goto InvalidDataExit;
	WriteThreeLowOrderBytes(dest, result);
	src += 4;
	dest += 3;
	}

srcMax is more than int.MaxValue away from src and iff [src, src + 4) contains valid base64 encoded bytes, then it may consume a lot of data outside of valid ranges.

There was a test-hole, as the test BasicDecodingInvalidInputLength has a too big start for the range. Thus a new specific test for this case (input length < BlockSize) got added.

This 🐛 got introduced with dotnet/corefx#34529 (🙈), so it's there since .NET Core 3.1.
And as by accident I know the author of that PR quite well the uint-cast is placed there to avoid a movsxd.

---

The repro above is artificial and constructed to investigate #79334 (comment). In real-world usage it may or may not happen, that depends on the value read base64[3]. If this is by accident valid base64 byte, then the 🐛 manifests.

Even if InvalidData is reported correctly, the real problem is that it's read beyond the given / allowed range.
Since this bug exists for quite some time now and we don't have any bug-reports for this, I don't assume it's critical enough to backport that change.

Author:	gfoidl
Assignees:	-
Labels:	area-System.Memory, community-contribution
Milestone:	-

[gfoidl]

The uint-cast was there to avoid the movsxd (on x86), so removing the cast will introduce the movsxd and I expect that be cheaper than having a if to guard the loop.

_{PS: this is a reason why I dislike walking with pointers around (ptr++), and prefer index-based addressing (ptr[i] or ptr + offset) as it's clearer where to start and where to end.}

[stephentoub]

Thanks.