fix crypt() issue with overlong salt

diff --git a/NEWS b/NEWS
index 8a127ec93f38e62e588da988e4e8da71fbf14619..48b2180097a58ef4ba7c25ce52dd454962d6b8c1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ PHP                                                                        NEWS
 - Core
   . Fixed bug #53727 (Inconsistent behavior of is_subclass_of with interfaces)
     (Ralph Schindler, Dmitry)
+  . Fixed buffer overflow on overlog salt in crypt(). (Clément LECIGNE, Stas)
 
 - PDO DBlib:
   . Fixed bug #54329 (MSSql extension memory leak).

diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 65d83243d69a13230e6ab31363e144ec4b94ad14..efccd25b8e20326de4595edfc85115549ad580a8 100644 (file)
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -179,6 +179,8 @@ PHP_FUNCTION(crypt)
                salt[2] = '\0';
 #endif
                salt_in_len = strlen(salt);
+       } else {
+               salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len);
        }
 
 /* Windows (win32/crypt) has a stripped down version of libxcrypt and 

diff --git a/ext/standard/tests/strings/crypt_variation1.phpt b/ext/standard/tests/strings/crypt_variation1.phpt
new file mode 100644 (file)
index 0000000..6e0d3fe
--- /dev/null
+++ b/ext/standard/tests/strings/crypt_variation1.phpt
@@ -0,0 +1,23 @@
+--TEST--
+crypt() function - long salt
+--SKIPIF--
+<?php
+if (!function_exists('crypt')) {
+       die("SKIP crypt() is not available");
+}
+?> 
+--FILE--
+<?php
+
+$b = str_repeat("A", 124);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 125);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 4096);
+echo crypt("A", "$5$" . $b)."\n";
+
+?>
+--EXPECTF--
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6