fix CVE-2012-2143

diff --git a/NEWS b/NEWS
index 6863a73e5ece785f80a79c09ff81d283a4a00480..0297393363c418ab8ba987983f2eb340a36ad11e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,9 @@ PHP                                                                        NEWS
 - COM:
   . Fixed bug #62146 com_dotnet cannot be built shared. (Johannes)
 
+- Core:
+  . Fixed CVE-2012-2143. (Solar Designer)
+
 - Fileinfo:
   . Fixed magic file regex support. (Felipe)
 

diff --git a/ext/standard/crypt_freesec.c b/ext/standard/crypt_freesec.c
index 49c397cca1a96be9ee002e9a0899ae4bdd1c661a..0a5c3ba5fa793df68dccfeef127d27466ac0856b 100644 (file)
--- a/ext/standard/crypt_freesec.c
+++ b/ext/standard/crypt_freesec.c
@@ -629,7 +629,8 @@ _crypt_extended_r(const char *key, const char *setting,
         */
        q = (u_char *) keybuf;
        while (q - (u_char *) keybuf < sizeof(keybuf)) {
-               if ((*q++ = *key << 1))
+               *q++ = *key << 1;
+               if (*key)
                        key++;
        }
        if (des_setkey((u_char *) keybuf, data))

diff --git a/ext/standard/tests/strings/crypt_chars.phpt b/ext/standard/tests/strings/crypt_chars.phpt
new file mode 100644 (file)
index 0000000..09cd868
--- /dev/null
+++ b/ext/standard/tests/strings/crypt_chars.phpt
@@ -0,0 +1,19 @@
+--TEST--
+crypt() function - characters > 0x80
+--SKIPIF--
+<?php
+if (!function_exists('crypt')) {
+        die("SKIP crypt() is not available");
+}
+?>
+--FILE--
+<?php
+var_dump(crypt("À1234abcd", "99"));
+var_dump(crypt("À9234abcd", "99"));
+var_dump(crypt("À1234abcd", "_01234567"));
+var_dump(crypt("À9234abcd", "_01234567"));
+--EXPECT--
+string(13) "99PxawtsTfX56"
+string(13) "99jcVcGxUZOWk"
+string(20) "_01234567IBjxKliXXRQ"
+string(20) "_012345678OSGpGQRVHA"