From b84e164698930a8b3d1565d200d8e79b044a942a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 21 Aug 2020 16:03:17 +0100
Subject: [PATCH] Problem: zmq_z85_decode doesn't check its input length

Solution: do it
---
 NEWS              | 3 +++
 src/zmq_utils.cpp | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index d1b68a83..197e8cf3 100644
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,9 @@
 * ZMTP 3.1 peers will receive subscribe/cancel on PUB/SUB via commands rather
   than using the first byte of the payload.
 
+* zmq_z85_decode now checks that the input string's length is at least 5 characters
+  and always a multiple of 5 as per API specification.
+
 * Fixed #3566 - malformed CURVE message can cause memory leak
 
 * Fixed #3567 - missing ZeroMQ_INCLUDE_DIR in ZeroMQConfig.cmake when only
diff --git a/src/zmq_utils.cpp b/src/zmq_utils.cpp
index a42d732a..e83fc8f1 100644
--- a/src/zmq_utils.cpp
+++ b/src/zmq_utils.cpp
@@ -166,6 +166,11 @@ uint8_t *zmq_z85_decode (uint8_t *dest_, const char *string_)
     unsigned int byte_nbr = 0;
     unsigned int char_nbr = 0;
     uint32_t value = 0;
+    size_t src_len = strlen (string_);
+
+    if (src_len < 5 || src_len % 5 != 0)
+        goto error_inval;
+
     while (string_[char_nbr]) {
         //  Accumulate value in base 85
         if (UINT32_MAX / 85 < value) {