MD4's M buffer was set to be 48 words instead of 16. This had been

extant for a long long time and was never caught because until
recently the code did not depend on M.size(). However with the recent
loadstore changes that use memcpy to load the entire array in one
shot, an extra 128 bytes of memory would be read (but not used) in
each iteration.

This probably did not cause any problems except for Valgrind warnings,
though in some situations it would be possible for the M buffer and
MDx_HashFunctions buffer to be close enough that memcpy would be called
with overlapping regions, which could cause arbitrarily weird failures
since memcpy is allowed to assume they do not overlap.

2 files changed, 2 insertions, 1 deletions

diff --git a/doc/log.txt b/doc/log.txt
index 2e93cf207..3367337eb 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -10,6 +10,7 @@
  - Add support for Win32 high resolution system timers
  - Changed S2K interface: derive_key now takes salt, iteration count
  - Fix crash in GMP_Engine if library is shutdown and reinitialized
+ - Fix an invalid memory read in MD4
  - Remove Timer class entirely
  - Switch default PKCS #8 encryption algorithm from 3DES to AES-256
  - New option --gen-amalgamation for creating a SQLite-style amalgamation
diff --git a/src/hash/md4/md4.h b/src/hash/md4/md4.h
index 0b76a70e4..0bff5a4ce 100644
--- a/src/hash/md4/md4.h
+++ b/src/hash/md4/md4.h
@@ -27,7 +27,7 @@ class BOTAN_DLL MD4 : public MDx_HashFunction
       void hash_old(const byte[]);
       void copy_out(byte[]);
 
-      SecureBuffer<u32bit, 48> M;
+      SecureBuffer<u32bit, 16> M;
       SecureBuffer<u32bit, 4> digest;
    };