]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0e985d3)
Fixed possible read after end of buffer and use after free.
authorDmitry Stogov <dmitry@zend.com>
Mon, 8 Dec 2014 09:18:27 +0000 (12:18 +0300)
committerDmitry Stogov <dmitry@zend.com>
Mon, 8 Dec 2014 09:18:27 +0000 (12:18 +0300)
ext/mcrypt/mcrypt.c patch | blob | history

diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index 55302c77f85554f99f763ab622013c089b08c2d8..7f463cf5de87ff534cbc9ca1385d6072d57b2cf3 100644 (file)
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -619,8 +619,11 @@ PHP_FUNCTION(mcrypt_generic_init)
 
        if (iv_len != iv_size) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Iv size incorrect; supplied length: %d, needed: %d", iv_len, iv_size);
+               if (iv_len > iv_size) {
+                       iv_len = iv_size;
+               }
        }
-       memcpy(iv_s, iv, iv_size);
+       memcpy(iv_s, iv, iv_len);
 
        mcrypt_generic_deinit(pm->td);
        result = mcrypt_generic_init(pm->td, key_s, key_size, iv_s);
@@ -641,8 +644,9 @@ PHP_FUNCTION(mcrypt_generic_init)
                                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown error");
                                break;
                }
+       } else {
+               pm->init = 1;
        }
-       pm->init = 1;
        RETVAL_LONG(result);
 
        efree(iv_s);
Unnamed repository; edit this file 'description' to name the repository.