From: Jakub Zelenka Date: Sun, 16 Aug 2015 14:43:00 +0000 (+0100) Subject: Fix some int overflows in openssl X-Git-Tag: php-7.0.0RC1~7^2~10 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f3abea9f915a85dea00ba809751697c029ed75a2;p=php Fix some int overflows in openssl There might be more. I just did a quick check for enc/dec, rand and one BN call. --- diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 8f2adab7f7..b09f17481f 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5228,6 +5228,10 @@ PHP_FUNCTION(openssl_encrypt) EVP_EncryptInit(&cipher_ctx, cipher_type, NULL, NULL); if (password_len > keylen) { + if (INT_MAX < password_len) { + php_error_docref(NULL, E_WARNING, "password is too long"); + RETURN_FALSE; + } EVP_CIPHER_CTX_set_key_length(&cipher_ctx, (int)password_len); } EVP_EncryptInit_ex(&cipher_ctx, NULL, NULL, key, (unsigned char *)iv); @@ -5324,6 +5328,10 @@ PHP_FUNCTION(openssl_decrypt) EVP_DecryptInit(&cipher_ctx, cipher_type, NULL, NULL); if (password_len > keylen) { + if (INT_MAX < password_len) { + php_error_docref(NULL, E_WARNING, "password is too long"); + RETURN_FALSE; + } EVP_CIPHER_CTX_set_key_length(&cipher_ctx, (int)password_len); } EVP_DecryptInit_ex(&cipher_ctx, NULL, NULL, key, (unsigned char *)iv); @@ -5403,6 +5411,10 @@ PHP_FUNCTION(openssl_dh_compute_key) RETURN_FALSE; } + if (INT_MAX < pub_len) { + php_error_docref(NULL, E_WARNING, "pub_key is too long"); + RETURN_FALSE; + } pub = BN_bin2bn((unsigned char*)pub_str, (int)pub_len, NULL); data = zend_string_alloc(DH_size(pkey->pkey.dh), 0); @@ -5454,7 +5466,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) RETURN_FALSE; } #else - if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), buffer_length) <= 0) { + if (INT_MAX < buffer_length) { + php_error_docref(NULL, E_WARNING, "length is too long"); + RETURN_FALSE; + } + if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) { zend_string_release(buffer); if (zstrong_result_returned) { ZVAL_FALSE(zstrong_result_returned);