treating raw hash as C-string (strlen/strdup) → OOB read #1
Description
In the final hashing step, the code uses strdup/strlen on r_hp_passphrase->output, but that buffer is 32 bytes of binary Argon2 output, not a null-terminated string.
pc2_hash_pass_t final_hash =
pc2_hash_pass_create_manually(r_hp_passphrase->output);
pc2_hash_pass_t pc2_hash_pass_create_manually(uint8_t* r_input)
{
pc2_hash_pass_t hp = { 0 };
hp.input = (uint8_t*)STRDUP((char*)r_input);
hp.input_len = strlen((char*)hp.input);
return hp;
}
the hp.input here will be 64 bytes
Struct layout likely explains it (hash bytes followed by salt):
uint8_t output[PC2_HASHLEN];
uint8_t salt[PC2_SALTLEN];
on a different compiler/architecture it may create a more serious issue
Fix Idea
Don’t use C-string functions on binary hashes. Copy with a fixed length.