From: Gwynne Raskind <gwynne@php.net>
Date: Fri, 17 Jul 2009 14:21:59 +0000 (+0000)
Subject: MFH: fix crash when session hash function generated long hashes with hash_bits_per_ch... 
X-Git-Tag: php-5.3.1RC1~364
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2673b9be3827a00d0ed0afdd289e980b7c66142a;p=php

MFH: fix crash when session hash function generated long hashes with hash_bits_per_character larger than 4
---

diff --git a/ext/session/session.c b/ext/session/session.c
index c83b2ccab5..caac6a6b05 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -347,7 +347,6 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {
 }
 /* }}} */
 
-#define PS_ID_INITIAL_SIZE	100
 PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 {
 	PHP_MD5_CTX md5_context;
@@ -358,7 +357,7 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 	unsigned char *digest;
 	int digest_len;
 	int j;
-	char *buf;
+	char *buf, *outid;
 	struct timeval tv;
 	zval **array;
 	zval **token;
@@ -406,6 +405,7 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 			efree(buf);
 			return NULL;
 	}
+	efree(buf);
 
 	if (PS(entropy_length) > 0) {
 		int fd;
@@ -461,20 +461,16 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now");
 	}
-
-	if (PS_ID_INITIAL_SIZE < ((digest_len + 2) * (8 / PS(hash_bits_per_character))) ) {
-		/* 100 bytes is enough for most, but not all hash algos */
-		buf = erealloc(buf, (digest_len + 2) * (8 / PS(hash_bits_per_character)) );
-	}
-
-	j = (int) (bin_to_readable((char *)digest, digest_len, buf, PS(hash_bits_per_character)) - buf);
+	
+	outid = emalloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character)) + 0.5));
+	j = (int) (bin_to_readable((char *)digest, digest_len, outid, PS(hash_bits_per_character)) - outid);
 	efree(digest);
 
 	if (newlen) {
 		*newlen = j;
 	}
 
-	return buf;
+	return outid;
 }
 /* }}} */
 
diff --git a/ext/session/tests/031.phpt b/ext/session/tests/031.phpt
new file mode 100644
index 0000000000..e8deb3dac5
--- /dev/null
+++ b/ext/session/tests/031.phpt
@@ -0,0 +1,22 @@
+--TEST--
+setting hash_function to sha512 and hash_bits_per_character > 4 should not crash
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--INI--
+session.use_cookies=0
+session.cache_limiter=
+session.serialize_handler=php
+session.save_handler=files
+session.hash_function=sha512
+session.hash_bits_per_character=5
+--FILE--
+<?php
+error_reporting(E_ALL);
+
+session_start();
+session_regenerate_id(TRUE);
+
+print "I live\n";
+?>
+--EXPECT--
+I live