Add tests and error checking for large salt requested values to prevent overflow...

diff --git a/ext/standard/password.c b/ext/standard/password.c
index 94aa4dc3e3ec3d088d54b94a0d81ad4854a701e1..ab115afb6c7ecb7bbf2122be1bdcbdf39734b3d9 100644 (file)
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -82,14 +82,19 @@ static int php_password_salt_to64(const char *str, const int str_len, const int
 
 #define PHP_PASSWORD_FUNCTION_EXISTS(func, func_len) (zend_hash_find(EG(function_table), (func), (func_len) + 1, (void **) &func_ptr) == SUCCESS && func_ptr->type == ZEND_INTERNAL_FUNCTION && func_ptr->internal_function.handler != zif_display_disabled_function)
 
-static int php_password_make_salt(int length, int raw, char *ret TSRMLS_DC)
+static int php_password_make_salt(long length, int raw, char *ret TSRMLS_DC)
 {
-       int i, raw_length, buffer_valid = 0;
+       int buffer_valid = 0;
+       long i, raw_length;
        char *buffer;
 
        if (raw) {
                raw_length = length;
        } else {
+               if (length > (LONG_MAX / 3)) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length is too large to safely generate");
+                       return FAILURE;
+               }
                raw_length = length * 3 / 4 + 1;
        }
        buffer = (char *) emalloc(raw_length + 1);
@@ -192,15 +197,19 @@ PHP_FUNCTION(password_verify)
 PHP_FUNCTION(password_make_salt)
 {
        char *salt;
-       int length = 0;
+       long length = 0;
        zend_bool raw_output = 0;
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l|b", &length, &raw_output) == FAILURE) {
                 RETURN_FALSE;
         }
        if (length <= 0) {
-               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length cannot be less than or equal zero: %d", length);
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length cannot be less than or equal zero: %ld", length);
+               RETURN_FALSE;
+       } else if (length > (LONG_MAX / 3)) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length is too large to safely generate");
                RETURN_FALSE;
        }
+
        salt = emalloc(length + 1);
        if (php_password_make_salt(length, (int) raw_output, salt TSRMLS_CC) == FAILURE) {
                efree(salt);
@@ -298,7 +307,7 @@ PHP_FUNCTION(password_hash)
                zval_ptr_dtor(option_buffer);
         } else {
                salt = emalloc(required_salt_len + 1);
-               if (php_password_make_salt(required_salt_len, 0, salt TSRMLS_CC) == FAILURE) {
+               if (php_password_make_salt((long) required_salt_len, 0, salt TSRMLS_CC) == FAILURE) {
                        efree(hash_format);
                        efree(salt);
                        RETURN_FALSE;

diff --git a/ext/standard/tests/password/password_make_salt_error.phpt b/ext/standard/tests/password/password_make_salt_error.phpt
index 7d79713e8ddd4d849fa32011f0b8337360d93683..8078582e3c8286ce7b9906b4613fb66e98b4a73e 100644 (file)
--- a/ext/standard/tests/password/password_make_salt_error.phpt
+++ b/ext/standard/tests/password/password_make_salt_error.phpt
@@ -10,6 +10,10 @@ var_dump(password_make_salt("foo"));
 
 var_dump(password_make_salt(-1));
 
+var_dump(password_make_salt(PHP_INT_MAX));
+
+var_dump(password_make_salt(floor(PHP_INT_MAX / 2.9)));
+
 ?>
 --EXPECTF--
 Warning: password_make_salt() expects at least 1 parameter, 0 given in %s on line %d
@@ -21,3 +25,9 @@ bool(false)
 Warning: password_make_salt(): Length cannot be less than or equal zero: -1 in %s on line %d
 bool(false)
 
+Warning: password_make_salt(): Length is too large to safely generate in %s on line %d
+bool(false)
+
+Warning: password_make_salt(): Length is too large to safely generate in %s on line %d
+bool(false)
+