From 8cb5ea3d5e4eae108a1468703896160c744b361a Mon Sep 17 00:00:00 2001
From: Matt Eastman <matt.eastman@codewilling.com>
Date: Wed, 3 Oct 2018 17:24:11 -0500
Subject: [PATCH] Fix out of bounds read in base64_decode

---
 include/jwt/base64.hpp   |  2 +-
 tests/test_jwt_decode.cc | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/include/jwt/base64.hpp b/include/jwt/base64.hpp
index 1f2e921..3a05b5f 100644
--- a/include/jwt/base64.hpp
+++ b/include/jwt/base64.hpp
@@ -200,7 +200,7 @@ inline std::string base64_decode(const char* in, size_t len)
 
   constexpr static const DMap dmap{};
 
-  while (dmap.at(in[bytes_rem - 1]) == -1) { bytes_rem--; }
+  while (bytes_rem > 0 && dmap.at(in[bytes_rem - 1]) == -1) { bytes_rem--; }
 
   while (bytes_rem > 4)
   {
diff --git a/tests/test_jwt_decode.cc b/tests/test_jwt_decode.cc
index 1bb957f..a63410c 100644
--- a/tests/test_jwt_decode.cc
+++ b/tests/test_jwt_decode.cc
@@ -64,6 +64,20 @@ TEST (DecodeTest, DecodeInvalidHeader)
 
 }
 
+TEST (DecodeTest, DecodeEmptyHeader)
+{
+  using namespace jwt::params;
+
+  const char* enc_str =
+    ".eyJhdWQiOiJyaWZ0LmlvIiwiZXhwIjoxNTEzODYzMzcxLCJzdWIiOiJub3RoaW5nIG11Y2gifQ.";
+
+  std::error_code ec;
+  auto obj = jwt::decode(enc_str, algorithms({"hs256"}), ec, secret(""), verify(true));
+  ASSERT_TRUE (ec);
+  EXPECT_EQ (ec.value(), static_cast<int>(jwt::DecodeErrc::JsonParseError));
+
+}
+
 TEST (DecodeTest, DecodeInvalidPayload)
 {
   using namespace jwt::params;