468c000db0
Tim reported that a decoding error from the base64 function wouldn't be matched in case of bad input, and could possibly cause trouble with -1 being passed in decoded_sig->data. In the case of HMAC+SHA it is harmless as the comparison is made using memcmp() after checking for length equality, but in the case of RSA/ECDSA this result is passed as a size_t to EVP_DigetVerifyFinal() and may depend on the lib's mood. The fix simply consists in checking the intermediary result before storing it. That's precisely what happens with one of the regtests which returned 0 instead of 4 on the intentionally defective token, so the regtest was fixed as well. No backport is needed as this is new in this release.