From: Christoph M. Becker Date: Mon, 18 Sep 2017 16:09:53 +0000 (+0200) Subject: Fixed bug #75221 (Argon2i always throws NUL at the end) X-Git-Tag: php-7.2.0RC5~63 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3f8961dfac96a992df2516c0e383e6820eedd31b;p=php Fixed bug #75221 (Argon2i always throws NUL at the end) Apparently, `argon2_encodedlen()` also counts the terminating NUL byte; that doesn't appear to be documented somewhere, but from looking at the implementation[1] it is pretty obvious. Therefore, the respective `zend_string` has to be one byte shorter. [1] --- diff --git a/NEWS b/NEWS index cfa129b82f..8578801bd7 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,9 @@ PHP NEWS - Openssl: . Fixed bug #75363 (openssl_x509_parse leaks memory). (Bob) +- Standard: + . Fixed bug #75221 (Argon2i always throws NUL at the end). (cmb) + - Zlib: . Fixed bug #75299 (Wrong reflection on inflate_init and inflate_add). (Fabien Villepinte) diff --git a/ext/standard/password.c b/ext/standard/password.c index 680eed47a8..7f99f21e29 100644 --- a/ext/standard/password.c +++ b/ext/standard/password.c @@ -526,7 +526,7 @@ PHP_FUNCTION(password_hash) #endif ); - encoded = zend_string_alloc(encoded_len, 0); + encoded = zend_string_alloc(encoded_len - 1, 0); status = argon2_hash( time_cost, memory_cost, @@ -538,7 +538,7 @@ PHP_FUNCTION(password_hash) ZSTR_VAL(out), ZSTR_LEN(out), ZSTR_VAL(encoded), - ZSTR_LEN(encoded), + encoded_len, type, ARGON2_VERSION_NUMBER ); diff --git a/ext/standard/tests/password/bug75221.phpt b/ext/standard/tests/password/bug75221.phpt new file mode 100644 index 0000000000..ec03f92ea6 --- /dev/null +++ b/ext/standard/tests/password/bug75221.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #75221 (Argon2i always throws NUL at the end) +--SKIPIF-- + +--FILE-- + 16384, 'time_cost' => 2, 'threads' => 4] +); +var_dump(substr($hash, -1, 1) !== "\0"); +?> +===DONE=== +--EXPECT-- +bool(true) +===DONE===