From c19a09429b1d035bff0bca0a05cc7483a8d24405 Mon Sep 17 00:00:00 2001 From: magnum Date: Fri, 23 Sep 2011 04:19:08 +0200 Subject: [PATCH 3/4] j7: md5_gen Unicode truncation fixes (false positives) --- src/md5_gen_fmt.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) diff --git a/src/md5_gen_fmt.c b/src/md5_gen_fmt.c index 2f06e52..8b84646 100644 --- a/src/md5_gen_fmt.c +++ b/src/md5_gen_fmt.c @@ -2632,7 +2632,7 @@ static inline void __append_string(char *Str, unsigned len) int outlen; outlen = enc_to_utf16(utf16Str, 27, (unsigned char*)Str, len) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { unsigned idx = (j>>(MMX_COEF>>1)); @@ -2660,7 +2660,7 @@ static inline void __append_string(char *Str, unsigned len) UTF16 utf16Str[256+1]; int outlen; outlen = enc_to_utf16(utf16Str, 256, (unsigned char*)Str, len) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { int z; @@ -2727,7 +2727,7 @@ static inline void __append2_string(char *Str, unsigned len) int outlen; outlen = enc_to_utf16(utf16Str, 27, (unsigned char*)Str, len) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { unsigned idx = (j>>(MMX_COEF>>1)); @@ -2755,7 +2755,7 @@ static inline void __append2_string(char *Str, unsigned len) UTF16 utf16Str[256+1]; int outlen; outlen = enc_to_utf16(utf16Str, 256, (unsigned char*)Str, len) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { int z; @@ -2929,8 +2929,11 @@ void MD5GenBaseFunc__append_keys() if (curdat.pSetup->MaxInputLen < maxlen) maxlen = curdat.pSetup->MaxInputLen; outlen = enc_to_utf16(utf16Str, maxlen, (unsigned char*)saved_key[j], saved_key_len[j]) * sizeof(UTF16); - if (outlen <= 0) - outlen = strlen16(utf16Str) * sizeof(UTF16); + if (outlen <= 0) { + saved_key_len[j] = -outlen / sizeof(UTF16); + if (outlen < 0) + outlen = strlen16(utf16Str) * sizeof(UTF16); + } total_len[idx] += ( outlen << ((32/MMX_COEF)*idx_mod)); __SSE_append_string_to_input((unsigned char*)(&input_buf[idx]),idx_mod,(char*)utf16Str,outlen,bf_ptr,1); } else { @@ -2953,8 +2956,11 @@ void MD5GenBaseFunc__append_keys() UTF16 utf16Str[256+1]; int outlen; outlen = enc_to_utf16(utf16Str, 256, (unsigned char*)saved_key[j], saved_key_len[j]) * sizeof(UTF16); - if (outlen <= 0) - outlen = strlen16(utf16Str) * sizeof(UTF16); + if (outlen <= 0) { + saved_key_len[j] = -outlen / sizeof(UTF16); + if (outlen < 0) + outlen = strlen16(utf16Str) * sizeof(UTF16); + } #if MD5_X2 if (j&1) cp = &(input_buf_X86[j>>MD5_X2].x2.B2[total_len_X86[j]]); @@ -3017,8 +3023,11 @@ void MD5GenBaseFunc__append_keys2() if (curdat.pSetup->MaxInputLen < maxlen) maxlen = curdat.pSetup->MaxInputLen; outlen = enc_to_utf16(utf16Str, maxlen, (unsigned char*)saved_key[j], saved_key_len[j]) * sizeof(UTF16); - if (outlen <= 0) - outlen = strlen16(utf16Str) * sizeof(UTF16); + if (outlen <= 0) { + saved_key_len[j] = -outlen / sizeof(UTF16); + if (outlen < 0) + outlen = strlen16(utf16Str) * sizeof(UTF16); + } total_len2[idx] += ( outlen << ((32/MMX_COEF)*idx_mod)); __SSE_append_string_to_input((unsigned char*)(&input_buf2[idx]),idx_mod,(char*)utf16Str,outlen,bf_ptr,1); } else { @@ -3041,8 +3050,11 @@ void MD5GenBaseFunc__append_keys2() UTF16 utf16Str[256+1]; int outlen; outlen = enc_to_utf16(utf16Str, 256, (unsigned char*)saved_key[j], saved_key_len[j]) * sizeof(UTF16); - if (outlen <= 0) - outlen = strlen16(utf16Str) * sizeof(UTF16); + if (outlen <= 0) { + saved_key_len[j] = -outlen / sizeof(UTF16); + if (outlen < 0) + outlen = strlen16(utf16Str) * sizeof(UTF16); + } #if MD5_X2 if (j&1) cp = &(input_buf2_X86[j>>MD5_X2].x2.B2[total_len2_X86[j]]); @@ -4513,7 +4525,7 @@ void MD5GenBaseFunc__overwrite_salt_to_input1_no_size_fix() UTF16 utf16Str[27+1]; // 27 chars is 'max' that fits in SSE without overflow, so that is where we limit it at now int outlen; outlen = enc_to_utf16(utf16Str, 27, (unsigned char*)cursalt, saltlen) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { __SSE_append_string_to_input((unsigned char*)(&input_buf[j>>(MMX_COEF>>1)]),j&(MMX_COEF-1),(char*)utf16Str,outlen,0,0); @@ -4534,7 +4546,7 @@ void MD5GenBaseFunc__overwrite_salt_to_input1_no_size_fix() UTF16 utf16Str[256+1]; int outlen; outlen = enc_to_utf16(utf16Str, 256, (unsigned char*)cursalt, saltlen) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { @@ -4586,7 +4598,7 @@ void MD5GenBaseFunc__overwrite_salt_to_input2_no_size_fix() UTF16 utf16Str[27+1]; // 27 chars is 'max' that fits in SSE without overflow, so that is where we limit it at now int outlen; outlen = enc_to_utf16(utf16Str, 27, (unsigned char*)cursalt, saltlen) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { __SSE_append_string_to_input((unsigned char*)(&input_buf2[j>>(MMX_COEF>>1)]),j&(MMX_COEF-1),(char*)utf16Str,outlen,0,0); @@ -4607,7 +4619,7 @@ void MD5GenBaseFunc__overwrite_salt_to_input2_no_size_fix() UTF16 utf16Str[256+1]; int outlen; outlen = enc_to_utf16(utf16Str, 256, (unsigned char*)cursalt, saltlen) * sizeof(UTF16); - if (outlen <= 0) + if (outlen < 0) outlen = strlen16(utf16Str) * sizeof(UTF16); for (j = 0; j < m_count; ++j) { -- 1.7.4.1