From 0a958a5d1010a3ff08ad24fd870fda322bdb08b1 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <mail@lucaswerkmeister.de>
Date: Tue, 19 Jun 2018 23:23:34 +0200
Subject: [PATCH] fix: short files in PasswordHashChecker

For short files (or, presumably, for very rare hashes on all files),
PasswordHashChecker would occasionally attempt to read before the start
or past the end of a file; avoid this with clamping (in two cases where
there is no potentially infinite iteration) or aborting (in the one
other case, where clamping might yield an infinite loop).

Change-Id: Ia1d4f527a2b8589ec43732e0e1a1cf80cb3e2bac
---
 .../wpia/gigi/passwords/PasswordHashChecker.java  | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/club/wpia/gigi/passwords/PasswordHashChecker.java b/src/club/wpia/gigi/passwords/PasswordHashChecker.java
index 32eda623..5c6e3a06 100644
--- a/src/club/wpia/gigi/passwords/PasswordHashChecker.java
+++ b/src/club/wpia/gigi/passwords/PasswordHashChecker.java
@@ -76,6 +76,7 @@ public class PasswordHashChecker implements PasswordChecker {
     private boolean knownPasswordHash(byte[] passwordHash) throws IOException {
         long targetEstimate = estimateHashOffset(passwordHash);
         long bestGuess = targetEstimate;
+        bestGuess = clampOffset(bestGuess);
 
         hashBuffer.clear();
         database.read(hashBuffer, bestGuess);
@@ -86,6 +87,7 @@ public class PasswordHashChecker implements PasswordChecker {
                 break;
             }
             bestGuess = bestGuess + targetEstimate - bestGuessEstimate;
+            bestGuess = clampOffset(bestGuess);
             hashBuffer.clear();
             database.read(hashBuffer, bestGuess);
         }
@@ -97,6 +99,9 @@ public class PasswordHashChecker implements PasswordChecker {
         int newSearchDirection = searchDirection;
         while (searchDirection == newSearchDirection) {
             bestGuess += digestLength * searchDirection;
+            if (bestGuess < 0 || bestGuess >= database.size()) {
+                break;
+            }
             hashBuffer.clear();
             database.read(hashBuffer, bestGuess);
             newSearchDirection = compareHashes(passwordHash, hashBuffer.array());
@@ -127,4 +132,14 @@ public class PasswordHashChecker implements PasswordChecker {
                 / (1L << 32);
         return (pos / digestLength) * digestLength;
     }
+
+    private long clampOffset(long offset) throws IOException {
+        if (offset < 0) {
+            return 0;
+        }
+        if (offset >= database.size()) {
+            return database.size() - 1;
+        }
+        return offset;
+    }
 }
-- 
2.39.2