Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_v...

diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 1b83d6e12770869f6cde71e65e8d88caecd310a1..10f19ff113d10d49d94bc5f5d0172351fc31065e 100644 (file)
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -201,6 +201,14 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
                                salt[5] >= '0' && salt[5] <= '9' &&
                                salt[6] == '$') {
                        char output[PHP_MAX_SALT_LEN + 1];
+                       int k = 7;
+
+                       while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
+                               k++;
+                       }
+                       if (k != salt_len) {
+                               return FAILURE;
+                       }
 
                        memset(output, 0, PHP_MAX_SALT_LEN + 1);
 

diff --git a/ext/standard/tests/strings/bug72703.phpt b/ext/standard/tests/strings/bug72703.phpt
new file mode 100644 (file)
index 0000000..5e3bf48
--- /dev/null
+++ b/ext/standard/tests/strings/bug72703.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
+--SKIPIF--
+<?php
+if (!function_exists('crypt'))) {
+       die("SKIP crypt() is not available");
+}
+?> 
+--FILE--
+<?php
+       var_dump(password_verify("","$2y$10$$"));
+?>
+==OK==
+--EXPECT--
+bool(false)
+==OK==
+