From 192dff76e49b39794fe53eb92c9d9d852b76bf0a Mon Sep 17 00:00:00 2001
From: Cyrille Bagard <nocbos@gmail.com>
Date: Tue, 14 Nov 2023 09:08:21 +0100
Subject: Handle small base64 encodings which may produce few patterns.

---
 plugins/encodings/rost/base64.c | 17 ++++++++++++++++-
 tests/analysis/scan/fuzzing.py  | 18 ++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/plugins/encodings/rost/base64.c b/plugins/encodings/rost/base64.c
index 5472ec0..adbb2fb 100644
--- a/plugins/encodings/rost/base64.c
+++ b/plugins/encodings/rost/base64.c
@@ -326,7 +326,22 @@ static bool g_scan_base64_modifier_transform(const GScanBase64Modifier *modifier
         result = base64_encode(&tmp_in, &tmp_out);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_in, &tmp_out, 1, binary++);
+        strip_base64_modifier_output(&tmp_in, &tmp_out, 1, binary);
+
+        /**
+         * Lors qu'un unique octet est encodé, cet octet ne produit aucun
+         * caractère que ne dépend que de lui :
+         *
+         *                    |        X        |
+         *   1 2 3 4 5 6 | 7 8 1 2 3 4 | 5 6 7 8 1 2 | 3 4 5 6 7 8
+         *
+         * Les compteurs sont alors diminués.
+         */
+
+        if (binary->len == 0)
+            (*dcount)--;
+        else
+            binary++;
 
         exit_szstr(&tmp_out);
 
diff --git a/tests/analysis/scan/fuzzing.py b/tests/analysis/scan/fuzzing.py
index 1957f72..1bebdd3 100644
--- a/tests/analysis/scan/fuzzing.py
+++ b/tests/analysis/scan/fuzzing.py
@@ -249,3 +249,21 @@ rule test {
 '''
 
         self.check_rule_failure(rule)
+
+
+    def testSmallBase64(self):
+        """Handle small base64 encodings which may produce few patterns."""
+
+        rule = '''
+rule test {
+
+   bytes:
+      $a = "0" base64
+
+   condition:
+      $a
+
+}
+'''
+
+        self.check_rule_failure(rule)
-- 
cgit v0.11.2-87-g4458