From: Julien Pauli <jpauli@php.net>
Date: Mon, 4 Jan 2016 13:46:57 +0000 (+0100)
Subject: Moved buffer from heap to stack
X-Git-Tag: php-7.0.3RC1~66^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=810452f68e0995ce38669fff2dc25a713184d611;p=php

Moved buffer from heap to stack
---

diff --git a/ext/standard/password.c b/ext/standard/password.c
index f6b138d516..e7016e8548 100644
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -307,7 +307,7 @@ PHP_FUNCTION(password_verify)
 Hash a password */
 PHP_FUNCTION(password_hash)
 {
-	char *hash_format, *hash, *salt, *password, *result;
+	char hash_format[8], *hash, *salt, *password, *result;
 	long algo = 0;
 	int password_len = 0, hash_len;
 	size_t salt_len = 0, required_salt_len = 0, hash_format_len;
@@ -341,7 +341,6 @@ PHP_FUNCTION(password_hash)
 			}
 			
 			required_salt_len = 22;
-			hash_format = emalloc(8);
 			sprintf(hash_format, "$2y$%02ld$", cost);
 			hash_format_len = 7;
 		}
@@ -380,25 +379,21 @@ PHP_FUNCTION(password_hash)
 			case IS_RESOURCE:
 			case IS_ARRAY:
 			default:
-				efree(hash_format);
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Non-string salt parameter supplied");
 				RETURN_NULL();
 		}
 		if (buffer_len_int < 0) {
-			efree(hash_format);
 			efree(buffer);
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Supplied salt is too long");
 		}
 		buffer_len = (size_t) buffer_len_int;
 		if (buffer_len < required_salt_len) {
-			efree(hash_format);
 			efree(buffer);
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Provided salt is too short: %lu expecting %lu", (unsigned long) buffer_len, (unsigned long) required_salt_len);
 			RETURN_NULL();
 		} else if (php_password_salt_is_alphabet(buffer, buffer_len) == FAILURE) {
 			salt = safe_emalloc(required_salt_len, 1, 1);
 			if (php_password_salt_to64(buffer, buffer_len, required_salt_len, salt) == FAILURE) {
-				efree(hash_format);
 				efree(buffer);
 				efree(salt);
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Provided salt is too short: %lu", (unsigned long) buffer_len);
@@ -414,7 +409,6 @@ PHP_FUNCTION(password_hash)
 	} else {
 		salt = safe_emalloc(required_salt_len, 1, 1);
 		if (php_password_make_salt(required_salt_len, salt TSRMLS_CC) == FAILURE) {
-			efree(hash_format);
 			efree(salt);
 			RETURN_FALSE;
 		}
@@ -427,7 +421,6 @@ PHP_FUNCTION(password_hash)
 	sprintf(hash, "%s%s", hash_format, salt);
 	hash[hash_format_len + salt_len] = 0;
 
-	efree(hash_format);
 	efree(salt);
 
 	/* This cast is safe, since both values are defined here in code and cannot overflow */