]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9743246)
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
authorAnthony Ferrara <ircmaxell@ircmaxell.com>
Fri, 29 Jun 2012 00:00:03 +0000 (20:00 -0400)
committerAnthony Ferrara <ircmaxell@ircmaxell.com>
Fri, 29 Jun 2012 00:00:03 +0000 (20:00 -0400)
Fixed a memory allocation bug in crypt() SHA256/512 that can
cause segmentation faults when passed in salts with a null byte
early.

NEWS patch | blob | history
ext/standard/crypt.c patch | blob | history
ext/standard/tests/strings/bug62443.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index 520aa192f277416d354ac95961ce39b12448cb91..80d56bc7f86d3118db6f0c89426380cbfde9eecd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
     Stas)
   . Fixed bug #62432 (ReflectionMethod random corrupt memory on high
     concurrent). (Johannes)
+  . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed 
+    Salt). (Anthony Ferrara)
 
 - Fileinfo:
   . Fixed magic file regex support. (Felipe)
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index e0d90e7e392b5a4a62a216038655ef83fb916299..2eb4fc3678f5a2f3e8d50a7022ba9d8c5f3c7de9 100644 (file)
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -199,7 +199,7 @@ PHP_FUNCTION(crypt)
                        char *output;
                        int needed = (sizeof(sha512_salt_prefix) - 1
                                                + sizeof(sha512_rounds_prefix) + 9 + 1
-                                               + strlen(salt) + 1 + 43 + 1);
+                                               + PHP_MAX_SALT_LEN + 1 + 43 + 1);
                        output = emalloc(needed * sizeof(char *));
                        salt[salt_in_len] = '\0';
 
@@ -222,7 +222,7 @@ PHP_FUNCTION(crypt)
                        char *output;
                        int needed = (sizeof(sha256_salt_prefix) - 1
                                                + sizeof(sha256_rounds_prefix) + 9 + 1
-                                               + strlen(salt) + 1 + 43 + 1);
+                                               + PHP_MAX_SALT_LEN + 1 + 43 + 1);
                        output = emalloc(needed * sizeof(char *));
                        salt[salt_in_len] = '\0';
 
diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt
new file mode 100644 (file)
index 0000000..9e0dc38
--- /dev/null
+++ b/ext/standard/tests/strings/bug62443.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
+--FILE--
+<?php
+crypt("foo", '$5$'.chr(0).'abc');
+crypt("foo", '$6$'.chr(0).'abc');
+echo "OK!";
+--EXPECT--
+OK!
Unnamed repository; edit this file 'description' to name the repository.