Fixed out-of-boundary read in pure kernel rule engine rule 'p' if parameter is set to 2 or higher

OpenCL/inc_rp.cl

@@ -300,7 +300,17 @@ DECLSPEC int mangle_dupeword_times (MAYBE_UNUSED const u8 p0, MAYBE_UNUSED const
 
   u8 *out = buf + len;
 
-  for (int t = 0; t < p0; t++) for (int i = 0; i < len; i++) *out++ = *buf++;
+  int out_pos = len;
+
+  for (int t = 0; t < p0; t++)
+  {
+    for (int i = 0; i < len; i++)
+    {
+      out[out_pos] = buf[i];
+
+      out_pos++;
+    }
+  }
 
   return (out_len);
 }

docs/changes.txt

@@ -85,6 +85,7 @@
 - Fixed invalid password truncation in attack-mode 1 if final password is longer than 32 character
 - Fixed invalid use of --hex-wordlist if encoded wordlist string is larger than length 256
 - Fixed maximum password length limit which was announced as 256 but actually was 255
+- Fixed out-of-boundary read in pure kernel rule engine rule 'p' if parameter is set to 2 or higher
 - Fixed output of IKE PSK (mode 5300 and 5400) hashes to have separators at right position
 - Fixed output password of "e" rule in pure and cpu rule engine if separator character is also the first letter
 - Fixed problem with the usage of the hexadecimal notations (\x00-\xff) within rules