#124513 - Guard Base64Url.DecodeFromChars against non-ASCII input (#124540)

tannergooding · t.csala · jeffhandley · commit 19c07820cb72 · 2026-02-19T17:58:18.000Z
Base64Url.DecodeFromChars in Microsoft.Bcl.Memory has an out-of-bounds read bug: DecodeFrom uses Unsafe.Add with raw char values as indices into a 256-element DecodingMap without checking the DecodeRemaining return value first. Non-ASCII chars (value > ~2048) cause an AccessViolationException on .NET 8. Workaround: Add System.Text.Ascii.IsValid check before decoding to reject non-ASCII input early. Base64/Base64Url only uses ASCII characters, so any non-ASCII input is inherently invalid. Fixes #124513 --------- Co-authored-by: t.csala <t.csala@criteo.com>
diff --git a/src/libraries/System.Memory/tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs b/src/libraries/System.Memory/tests/Base64Url/Base64UrlUnicodeAPIsUnitTests.cs
@@ -1,4 +1,4 @@
-﻿// Licensed to the .NET Foundation under one or more agreements.
+// Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Collections.Generic;
@@ -196,7 +196,8 @@ public static IEnumerable<object[]> EncodeToStringTests_TestData()
         }
 
         [Theory]
-        [InlineData("\u5948cz_T", 0, 0)]                                              // scalar code-path
+        [InlineData("AB\u1000D", 0, 0)]                                               // scalar code-path, non-ASCII char > 255 (https://github.com/dotnet/runtime/issues/124513)
+        [InlineData("\u5948cz_T", 0, 0)]                                               // scalar code-path
         [InlineData("z_Ta123\u5948", 4, 3)]
         [InlineData("\u5948z_T-H7sqEkerqMweH1uSw==", 0, 0)]                          // Vector128 code-path
         [InlineData("z_T-H7sqEkerqMweH1uSw\u5948==", 20, 15)]
diff --git a/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs b/src/libraries/System.Private.CoreLib/src/System/Buffers/Text/Base64Helper/Base64DecoderHelper.cs
@@ -167,6 +167,11 @@ internal static unsafe OperationStatus DecodeFrom<TBase64Decoder, T>(TBase64Deco
                 Debug.Assert(typeof(TBase64Decoder) == typeof(Base64DecoderByte) ? remaining == 4 : remaining < 8);
                 int i0 = decoder.DecodeRemaining(srcEnd, ref decodingMap, remaining, out uint t2, out uint t3);
 
+                if (i0 < 0)
+                {
+                    goto InvalidDataExit;
+                }
+
                 byte* destMax = destBytes + (uint)destLength;
 
                 if (!decoder.IsValidPadding(t3))
