1
0
mirror of https://github.com/hashcat/hashcat.git synced 2025-01-09 23:31:14 +00:00

Fix out-of-boundary reads in base32/base64 operations

This commit is contained in:
jsteube 2019-01-09 10:56:47 +01:00
parent 2e841a1c26
commit df1e00e4ed

View File

@ -661,14 +661,23 @@ size_t base32_decode (u8 (*f) (const u8), const u8 *in_buf, const size_t in_len,
for (size_t i = 0; i < in_len; i += 8) for (size_t i = 0; i < in_len; i += 8)
{ {
const u8 out_val0 = f (in_ptr[0] & 0x7f); const u8 f0 = ((i + 0) < in_len) ? in_ptr[0] : 0;
const u8 out_val1 = f (in_ptr[1] & 0x7f); const u8 f1 = ((i + 1) < in_len) ? in_ptr[1] : 0;
const u8 out_val2 = f (in_ptr[2] & 0x7f); const u8 f2 = ((i + 2) < in_len) ? in_ptr[2] : 0;
const u8 out_val3 = f (in_ptr[3] & 0x7f); const u8 f3 = ((i + 3) < in_len) ? in_ptr[3] : 0;
const u8 out_val4 = f (in_ptr[4] & 0x7f); const u8 f4 = ((i + 4) < in_len) ? in_ptr[4] : 0;
const u8 out_val5 = f (in_ptr[5] & 0x7f); const u8 f5 = ((i + 5) < in_len) ? in_ptr[5] : 0;
const u8 out_val6 = f (in_ptr[6] & 0x7f); const u8 f6 = ((i + 6) < in_len) ? in_ptr[6] : 0;
const u8 out_val7 = f (in_ptr[7] & 0x7f); const u8 f7 = ((i + 7) < in_len) ? in_ptr[7] : 0;
const u8 out_val0 = f (f0 & 0x7f);
const u8 out_val1 = f (f1 & 0x7f);
const u8 out_val2 = f (f2 & 0x7f);
const u8 out_val3 = f (f3 & 0x7f);
const u8 out_val4 = f (f4 & 0x7f);
const u8 out_val5 = f (f5 & 0x7f);
const u8 out_val6 = f (f6 & 0x7f);
const u8 out_val7 = f (f7 & 0x7f);
out_ptr[0] = ((out_val0 << 3) & 0xf8) | ((out_val1 >> 2) & 0x07); out_ptr[0] = ((out_val0 << 3) & 0xf8) | ((out_val1 >> 2) & 0x07);
out_ptr[1] = ((out_val1 << 6) & 0xc0) | ((out_val2 << 1) & 0x3e) | ((out_val3 >> 4) & 0x01); out_ptr[1] = ((out_val1 << 6) & 0xc0) | ((out_val2 << 1) & 0x3e) | ((out_val3 >> 4) & 0x01);
@ -702,14 +711,20 @@ size_t base32_encode (u8 (*f) (const u8), const u8 *in_buf, const size_t in_len,
for (size_t i = 0; i < in_len; i += 5) for (size_t i = 0; i < in_len; i += 5)
{ {
const u8 out_val0 = f ( ((in_ptr[0] >> 3) & 0x1f)); const u8 f0 = ((i + 0) < in_len) ? in_ptr[0] : 0;
const u8 out_val1 = f (((in_ptr[0] << 2) & 0x1c) | ((in_ptr[1] >> 6) & 0x03)); const u8 f1 = ((i + 1) < in_len) ? in_ptr[1] : 0;
const u8 out_val2 = f ( ((in_ptr[1] >> 1) & 0x1f)); const u8 f2 = ((i + 2) < in_len) ? in_ptr[2] : 0;
const u8 out_val3 = f (((in_ptr[1] << 4) & 0x10) | ((in_ptr[2] >> 4) & 0x0f)); const u8 f3 = ((i + 3) < in_len) ? in_ptr[3] : 0;
const u8 out_val4 = f (((in_ptr[2] << 1) & 0x1e) | ((in_ptr[3] >> 7) & 0x01)); const u8 f4 = ((i + 4) < in_len) ? in_ptr[4] : 0;
const u8 out_val5 = f ( ((in_ptr[3] >> 2) & 0x1f));
const u8 out_val6 = f (((in_ptr[3] << 3) & 0x18) | ((in_ptr[4] >> 5) & 0x07)); const u8 out_val0 = f ( ((f0 >> 3) & 0x1f));
const u8 out_val7 = f ( ((in_ptr[4] >> 0) & 0x1f)); const u8 out_val1 = f (((f0 << 2) & 0x1c) | ((f1 >> 6) & 0x03));
const u8 out_val2 = f ( ((f1 >> 1) & 0x1f));
const u8 out_val3 = f (((f1 << 4) & 0x10) | ((f2 >> 4) & 0x0f));
const u8 out_val4 = f (((f2 << 1) & 0x1e) | ((f3 >> 7) & 0x01));
const u8 out_val5 = f ( ((f3 >> 2) & 0x1f));
const u8 out_val6 = f (((f3 << 3) & 0x18) | ((f4 >> 5) & 0x07));
const u8 out_val7 = f ( ((f4 >> 0) & 0x1f));
out_ptr[0] = out_val0 & 0x7f; out_ptr[0] = out_val0 & 0x7f;
out_ptr[1] = out_val1 & 0x7f; out_ptr[1] = out_val1 & 0x7f;
@ -744,10 +759,15 @@ size_t base64_decode (u8 (*f) (const u8), const u8 *in_buf, const size_t in_len,
for (size_t i = 0; i < in_len; i += 4) for (size_t i = 0; i < in_len; i += 4)
{ {
const u8 out_val0 = f (in_ptr[0] & 0x7f); const u8 f0 = ((i + 0) < in_len) ? in_ptr[0] : 0;
const u8 out_val1 = f (in_ptr[1] & 0x7f); const u8 f1 = ((i + 1) < in_len) ? in_ptr[1] : 0;
const u8 out_val2 = f (in_ptr[2] & 0x7f); const u8 f2 = ((i + 2) < in_len) ? in_ptr[2] : 0;
const u8 out_val3 = f (in_ptr[3] & 0x7f); const u8 f3 = ((i + 3) < in_len) ? in_ptr[3] : 0;
const u8 out_val0 = f (f0 & 0x7f);
const u8 out_val1 = f (f1 & 0x7f);
const u8 out_val2 = f (f2 & 0x7f);
const u8 out_val3 = f (f3 & 0x7f);
out_ptr[0] = ((out_val0 << 2) & 0xfc) | ((out_val1 >> 4) & 0x03); out_ptr[0] = ((out_val0 << 2) & 0xfc) | ((out_val1 >> 4) & 0x03);
out_ptr[1] = ((out_val1 << 4) & 0xf0) | ((out_val2 >> 2) & 0x0f); out_ptr[1] = ((out_val1 << 4) & 0xf0) | ((out_val2 >> 2) & 0x0f);
@ -779,10 +799,14 @@ size_t base64_encode (u8 (*f) (const u8), const u8 *in_buf, const size_t in_len,
for (size_t i = 0; i < in_len; i += 3) for (size_t i = 0; i < in_len; i += 3)
{ {
const u8 out_val0 = f ( ((in_ptr[0] >> 2) & 0x3f)); const u8 f0 = ((i + 0) < in_len) ? in_ptr[0] : 0;
const u8 out_val1 = f (((in_ptr[0] << 4) & 0x30) | ((in_ptr[1] >> 4) & 0x0f)); const u8 f1 = ((i + 1) < in_len) ? in_ptr[1] : 0;
const u8 out_val2 = f (((in_ptr[1] << 2) & 0x3c) | ((in_ptr[2] >> 6) & 0x03)); const u8 f2 = ((i + 2) < in_len) ? in_ptr[2] : 0;
const u8 out_val3 = f ( ((in_ptr[2] >> 0) & 0x3f));
const u8 out_val0 = f ( ((f0 >> 2) & 0x3f));
const u8 out_val1 = f (((f0 << 4) & 0x30) | ((f1 >> 4) & 0x0f));
const u8 out_val2 = f (((f1 << 2) & 0x3c) | ((f2 >> 6) & 0x03));
const u8 out_val3 = f ( ((f2 >> 0) & 0x3f));
out_ptr[0] = out_val0 & 0x7f; out_ptr[0] = out_val0 & 0x7f;
out_ptr[1] = out_val1 & 0x7f; out_ptr[1] = out_val1 & 0x7f;