From: Jakub Zelenka <bukka@php.net>
Date: Tue, 18 Aug 2015 18:46:59 +0000 (+0100)
Subject: Fix possible overflow in openssl_pbkdf2
X-Git-Tag: php-7.0.0RC2~2^2~117
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=618c327a56b03449324cdaa0d630ea710aea22fd;p=php

Fix possible overflow in openssl_pbkdf2

Especially key_length would lead to the crash if it overflowed
to the negative value.
---

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 1608e5d5af..1e03ce7164 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4011,6 +4011,22 @@ PHP_FUNCTION(openssl_pbkdf2)
 	if (key_length <= 0) {
 		RETURN_FALSE;
 	}
+	if (INT_MAX < key_length) {
+		php_error_docref(NULL, E_WARNING, "key_length is too long");
+		RETURN_FALSE;
+	}
+	if (INT_MAX < iterations) {
+		php_error_docref(NULL, E_WARNING, "iterations is too long");
+		RETURN_FALSE;
+	}
+	if (INT_MAX < password_len) {
+		php_error_docref(NULL, E_WARNING, "password_len is too long");
+		RETURN_FALSE;
+	}
+	if (INT_MAX < salt_len) {
+		php_error_docref(NULL, E_WARNING, "salt_len is too long");
+		RETURN_FALSE;
+	}
 
 	if (method_len) {
 		digest = EVP_get_digestbyname(method);