From: Anatol Belski <ab@php.net>
Date: Mon, 29 Aug 2016 18:25:34 +0000 (+0200)
Subject: Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_v... 
X-Git-Tag: php-5.6.26RC1~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=295303b59059536079caf68b4d76acf2149bd42c;p=php

Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
---

diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 1b83d6e127..10f19ff113 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -201,6 +201,14 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
 				salt[5] >= '0' && salt[5] <= '9' &&
 				salt[6] == '$') {
 			char output[PHP_MAX_SALT_LEN + 1];
+			int k = 7;
+
+			while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
+				k++;
+			}
+			if (k != salt_len) {
+				return FAILURE;
+			}
 
 			memset(output, 0, PHP_MAX_SALT_LEN + 1);
 
diff --git a/ext/standard/tests/strings/bug72703.phpt b/ext/standard/tests/strings/bug72703.phpt
new file mode 100644
index 0000000000..5e3bf4875d
--- /dev/null
+++ b/ext/standard/tests/strings/bug72703.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
+--SKIPIF--
+<?php
+if (!function_exists('crypt'))) {
+	die("SKIP crypt() is not available");
+}
+?> 
+--FILE--
+<?php
+	var_dump(password_verify("","$2y$10$$"));
+?>
+==OK==
+--EXPECT--
+bool(false)
+==OK==
+