Fixed out-of-boundary read in pure kernel rule engine rule 'p' if parameter is set to 2 or higher

2025-04-04 16:55:44 +00:00 · 2020-02-10 16:32:34 +01:00 · 2020-02-10 16:32:34 +01:00 · a74cbe3461
commit a74cbe3461
parent 9607b8c734
2 changed files with 12 additions and 1 deletions
--- a/OpenCL/inc_rp.cl
+++ b/OpenCL/inc_rp.cl
@ -300,7 +300,17 @@ DECLSPEC int mangle_dupeword_times (MAYBE_UNUSED const u8 p0, MAYBE_UNUSED const

  u8 *out = buf + len;

-  for (int t = 0; t < p0; t++) for (int i = 0; i < len; i++) *out++ = *buf++;
+  int out_pos = len;
+
+  for (int t = 0; t < p0; t++)
+  {
+    for (int i = 0; i < len; i++)
+    {
+      out[out_pos] = buf[i];
+
+      out_pos++;
+    }
+  }

  return (out_len);
 }
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -85,6 +85,7 @@
 - Fixed invalid password truncation in attack-mode 1 if final password is longer than 32 character
 - Fixed invalid use of --hex-wordlist if encoded wordlist string is larger than length 256
 - Fixed maximum password length limit which was announced as 256 but actually was 255
+- Fixed out-of-boundary read in pure kernel rule engine rule 'p' if parameter is set to 2 or higher
 - Fixed output of IKE PSK (mode 5300 and 5400) hashes to have separators at right position
 - Fixed output password of "e" rule in pure and cpu rule engine if separator character is also the first letter
 - Fixed problem with the usage of the hexadecimal notations (\x00-\xff) within rules