From 75667e266c2b9356504a86c6013b91a9a3e48c4e Mon Sep 17 00:00:00 2001
From: Sylvain Pelissier <sylvain.pelissier@gmail.com>
Date: Tue, 22 Feb 2022 12:04:21 +0100
Subject: [PATCH] PEM: check input ciphertext length to avoid buffer overflow

---
 src/pem_common_plug.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/pem_common_plug.c b/src/pem_common_plug.c
index 2a02509d5e..8191067fe1 100644
--- a/src/pem_common_plug.c
+++ b/src/pem_common_plug.c
@@ -65,7 +65,7 @@ int pem_valid(char *ciphertext, struct fmt_main *self)
 		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL)   // salt
 		goto err;
-	if (hexlenl(p, &extra) != 16 || extra)
+	if (hexlenl(p, &extra) != SALTLEN * 2 || extra)
 		goto err;
 	if ((p = strtokm(NULL, "$")) == NULL)   // iterations
 		goto err;
@@ -81,6 +81,8 @@ int pem_valid(char *ciphertext, struct fmt_main *self)
 	if (!isdec(p))
 		goto err;
 	len = atoi(p);
+	if (len > CTLEN)
+		goto err;
 	if ((p = strtokm(NULL, "*")) == NULL)   // ciphertext
 		goto err;
 	if (hexlenl(p, &extra) != len*2 || extra)