>From d024dc4c21f7d39b340137cb409d8b0f06496126 Mon Sep 17 00:00:00 2001
From: Alexander Cherepanov <ch3root@openwall.com>
Date: Mon, 23 Mar 2015 02:19:56 +0300
Subject: [PATCH] 7z: compute data lengths from data fields in hash and bound
 them

---
 src/7z_fmt_plug.c |   34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/src/7z_fmt_plug.c b/src/7z_fmt_plug.c
index 78f7a4f..690759d 100644
--- a/src/7z_fmt_plug.c
+++ b/src/7z_fmt_plug.c
@@ -121,23 +121,19 @@ static int valid(char *ciphertext, struct fmt_main *self)
 		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL) /* salt length */
 		goto err;
-	len = atoi(p);
-	if(len > 16 || len < 0) /* salt length */
-		goto err;
+	/* ignore salt length recorded in the hash */
 	if ((p = strtokm(NULL, "$")) == NULL) /* salt */
 		goto err;
+	/* ignore salt */
 	if ((p = strtokm(NULL, "$")) == NULL) /* iv length */
 		goto err;
-	if (strlen(p) > 2)
-		goto err;
-	len = atoi(p);
-	if(len < 0 || len > 16) /* iv length */
-		goto err;
+	/* ignore iv length recorded in the hash */
 	if ((p = strtokm(NULL, "$")) == NULL) /* iv */
 		goto err;
 	if (!ishex(p))
 		goto err;
-	if (strlen(p) > len*2 && strcmp(p+len*2, "0000000000000000"))
+	len = strlen(p);
+	if(len > 16 * 2 || len % 2 != 0) /* iv length */
 		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL) /* crc */
 		goto err;
@@ -145,14 +141,17 @@ static int valid(char *ciphertext, struct fmt_main *self)
 		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL) /* data length */
 		goto err;
-	len = atoi(p);
+	/* ignore data length recorded in the hash */
 	if ((p = strtokm(NULL, "$")) == NULL) /* unpacksize */
 		goto err;
 	if (!isdec(p))	/* no way to validate, other than atoi() works for it */
 		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL) /* data */
 		goto err;
-	if (strlen(p) != len * 2)	/* validates data_len atoi() */
+	if (!ishex(p))
+		goto err;
+	len = strlen(p);
+	if (len > BIG_ENOUGH * 2 || len % 2 != 0) /* data length */
 		goto err;
 
 	MEM_FREE(keeptr);
@@ -184,24 +183,27 @@ static void *get_salt(char *ciphertext)
 	p = strtokm(NULL, "$");
 	cs->NumCyclesPower = atoi(p);
 	p = strtokm(NULL, "$");
-	cs->SaltSize = atoi(p);
+	/* ignore salt length recorded in the hash */
 	p = strtokm(NULL, "$"); /* salt */
+	/* ignore salt */
 	p = strtokm(NULL, "$");
-	cs->ivSize = atoi(p);
+	/* ignore iv length recorded in the hash */
 	p = strtokm(NULL, "$"); /* iv */
-	for (i = 0; i < cs->ivSize; i++)
+	for (i = 0; p[i * 2]; i++)
 		cs->iv[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
 			+ atoi16[ARCH_INDEX(p[i * 2 + 1])];
+	cs->ivSize = i;
 	p = strtokm(NULL, "$"); /* crc */
 	cs->crc = atou(p); /* unsigned function */
 	p = strtokm(NULL, "$");
-	cs->length = atoi(p);
+	/* ignore data length recorded in the hash */
 	p = strtokm(NULL, "$");
 	cs->unpacksize = atoi(p);
 	p = strtokm(NULL, "$"); /* crc */
-	for (i = 0; i < cs->length; i++)
+	for (i = 0; p[i * 2]; i++)
 		cs->data[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
 			+ atoi16[ARCH_INDEX(p[i * 2 + 1])];
+	cs->length = i;
 	MEM_FREE(keeptr);
 	return (void *)cs;
 }
-- 
1.7.10.4