Fixed bug #72535 arcfour encryption stream filter crashes php

diff --git a/ext/mcrypt/mcrypt_filter.c b/ext/mcrypt/mcrypt_filter.c
index cfaf25c3abb2dab1dc01b5ccc662efc6ab5795a0..fcb50647130f4dc16d7b538cbb2849e69305733b 100644 (file)
--- a/ext/mcrypt/mcrypt_filter.c
+++ b/ext/mcrypt/mcrypt_filter.c
@@ -89,7 +89,7 @@ static php_stream_filter_status_t php_mcrypt_filter(
                        php_stream_bucket_delref(bucket TSRMLS_CC);
                } else {
                        /* Stream cipher */
-                       php_stream_bucket_make_writeable(bucket TSRMLS_CC);
+                       bucket = php_stream_bucket_make_writeable(bucket TSRMLS_CC);
                        if (data->encrypt) {
                                mcrypt_generic(data->module, bucket->buf, bucket->buflen);
                        } else {

diff --git a/ext/mcrypt/tests/bug72535.phpt b/ext/mcrypt/tests/bug72535.phpt
new file mode 100644 (file)
index 0000000..9e6d833
--- /dev/null
+++ b/ext/mcrypt/tests/bug72535.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #72535 arcfour encryption stream filter crashes php
+--SKIPIF--
+<?php if (!extension_loaded("mcrypt")) print "skip"; ?>
+--FILE--
+<?php
+$passphrase = 'My secret';
+$plaintext = 'Secret secret secret data';
+
+$iv = substr(md5('iv' . $passphrase, true), 0, 8);
+$key = substr(md5('pass1' . $passphrase, true) .
+                     md5('pass2' . $passphrase, true), 0, 24);
+$opts = array('iv' => $iv, 'key' => $key, 'mode' => 'stream');
+
+$expected = substr($plaintext . $plaintext, 0, 48);
+
+$fp = fopen('php://memory', 'wb+');
+stream_filter_append($fp, 'mcrypt.arcfour', STREAM_FILTER_WRITE, $opts);
+fwrite($fp, $plaintext);
+?>
+==NOCRASH==
+--EXPECT--
+==NOCRASH==