fix 64-bit integer overflow in mhash_keygen_s2k

diff --git a/NEWS b/NEWS
index 51a6f16355fa6738352a223f93f1189d158d501e..bebc34f25ec4ff4d56e7e23a2e8c8ccb2d9bb4c0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,7 @@ PHP                                                                        NEWS
 
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+- Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) 
 
 - Fixed bug #51590 (JSON_ERROR_UTF8 is undefined). (Felipe)
 - Fixed bug #51577 (Uninitialized memory reference with oci_bind_array_by_name)

diff --git a/ext/hash/hash.c b/ext/hash/hash.c
index 73b0931a01f0889992ee1aebd4b3e3f754e7e497..a86222d8038ee2b38d612fbc5d4b20f41e0c5f10 100644 (file)
--- a/ext/hash/hash.c
+++ b/ext/hash/hash.c
@@ -739,15 +739,17 @@ PHP_FUNCTION(mhash_get_block_size)
    Generates a key using hash functions */
 PHP_FUNCTION(mhash_keygen_s2k)
 {
-       long algorithm, bytes;
+       long algorithm, l_bytes;
+       int bytes;
        char *password, *salt;
        int password_len, salt_len;
        char padded_salt[SALT_SIZE];
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) {
                return;
        }
 
+       bytes = (int)l_bytes;
        if (bytes <= 0){
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter must be greater than 0");
                RETURN_FALSE;