[Security] Integer overflow in src/mdc2dgst_plug.c

[the-Chain-Warden-thresh]

I've found that the code snippet in int JtR_MDC2_Update(JtR_MDC2_CTX *c, const unsigned char *in, size_t len) is quite familiar with the vulnerable code snippet in CVE-2016-6303, which will cause an integer overflow and then result in a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

[solardiz]

@the-Chain-Warden-thresh Is this part of a research project on finding embedded copies of code with previously known bugs? A paper upcoming?

This CVE description is:

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

We may look into updating to newer upstream code (or switch to calling into OpenSSL when available, why do we even have a copy of the code?), but I think this has no impact (let alone security impact) in JtR since the inputs are candidate passwords, which in JtR are of limited length (currently up to 125).