From: Stanislav Malyshev Date: Tue, 20 Apr 2010 00:45:07 +0000 (+0000) Subject: fix 64-bit integer overflow in mhash_keygen_s2k X-Git-Tag: php-5.3.3RC1~301 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8088be390f80642c3b5acea581f24ffeb7f2f238;p=php fix 64-bit integer overflow in mhash_keygen_s2k --- diff --git a/NEWS b/NEWS index 51a6f16355..bebc34f25e 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,7 @@ PHP NEWS - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) +- Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) - Fixed bug #51590 (JSON_ERROR_UTF8 is undefined). (Felipe) - Fixed bug #51577 (Uninitialized memory reference with oci_bind_array_by_name) diff --git a/ext/hash/hash.c b/ext/hash/hash.c index 73b0931a01..a86222d803 100644 --- a/ext/hash/hash.c +++ b/ext/hash/hash.c @@ -739,15 +739,17 @@ PHP_FUNCTION(mhash_get_block_size) Generates a key using hash functions */ PHP_FUNCTION(mhash_keygen_s2k) { - long algorithm, bytes; + long algorithm, l_bytes; + int bytes; char *password, *salt; int password_len, salt_len; char padded_salt[SALT_SIZE]; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) { return; } + bytes = (int)l_bytes; if (bytes <= 0){ php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter must be greater than 0"); RETURN_FALSE;