From: Anatol Belski <ab@php.net>
Date: Mon, 29 Aug 2016 18:32:55 +0000 (+0200)
Subject: Merge branch 'PHP-5.6' into PHP-7.0
X-Git-Tag: php-7.0.11RC1~14
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=946335ba706b7dbfe70a5fc9a1e74ee46af19cfe;p=php

Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
  Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
---

946335ba706b7dbfe70a5fc9a1e74ee46af19cfe
diff --cc ext/standard/crypt.c
index 66b37eb79e,10f19ff113..bca3bd1363
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@@ -202,8 -196,19 +202,16 @@@ PHPAPI zend_string *php_crypt(const cha
  		} else if (
  				salt[0] == '$' &&
  				salt[1] == '2' &&
 -				salt[3] == '$' &&
 -				salt[4] >= '0' && salt[4] <= '3' &&
 -				salt[5] >= '0' && salt[5] <= '9' &&
 -				salt[6] == '$') {
 +				salt[3] == '$') {
  			char output[PHP_MAX_SALT_LEN + 1];
+ 			int k = 7;
+ 
+ 			while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
+ 				k++;
+ 			}
+ 			if (k != salt_len) {
 -				return FAILURE;
++				return NULL;
+ 			}
  
  			memset(output, 0, PHP_MAX_SALT_LEN + 1);