From: Anthony Ferrara Date: Fri, 29 Jun 2012 00:00:03 +0000 (-0400) Subject: Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt) X-Git-Tag: php-5.3.15RC1~7^2~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7e8276ca68fc622124d51d18e4f7b5cde3536de4;p=php Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt) Fixed a memory allocation bug in crypt() SHA256/512 that can cause segmentation faults when passed in salts with a null byte early. --- diff --git a/NEWS b/NEWS index 520aa192f2..80d56bc7f8 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,8 @@ PHP NEWS Stas) . Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent). (Johannes) + . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed + Salt). (Anthony Ferrara) - Fileinfo: . Fixed magic file regex support. (Felipe) diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index e0d90e7e39..2eb4fc3678 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -199,7 +199,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha512_salt_prefix) - 1 + sizeof(sha512_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; @@ -222,7 +222,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha256_salt_prefix) - 1 + sizeof(sha256_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt new file mode 100644 index 0000000000..9e0dc38cfb --- /dev/null +++ b/ext/standard/tests/strings/bug62443.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt +--FILE-- +