From 23fdc85e3a47f6691a83fa1e95108b9643eb6272 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Sun, 21 Feb 2010 18:11:11 +0000 Subject: [PATCH] - Fix #51059, crypt can fail and return NULL, on almost all implementations --- ext/standard/crypt.c | 45 ++++++++++++++++++------ ext/standard/tests/strings/bug51059.phpt | 2 -- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index fddfa5fc84..5123d8ff4a 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -15,6 +15,7 @@ | Authors: Stig Bakken | | Zeev Suraski | | Rasmus Lerdorf | + | Pierre Joye | +----------------------------------------------------------------------+ */ @@ -146,7 +147,7 @@ PHP_FUNCTION(crypt) char salt[PHP_MAX_SALT_LEN + 1]; char *str, *salt_in = NULL; int str_len, salt_in_len = 0; - + char *crypt_res; salt[0] = salt[PHP_MAX_SALT_LEN] = '\0'; /* This will produce suitable results if people depend on DES-encryption @@ -195,9 +196,13 @@ PHP_FUNCTION(crypt) output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; - php_sha512_crypt_r(str, salt, output, needed); + crypt_res = php_sha512_crypt_r(str, salt, output, needed); + if (!crypt_res) { + RETVAL_FALSE; + } else { + RETVAL_STRING(output, 1); + } - RETVAL_STRING(output, 1); memset(output, 0, PHP_MAX_SALT_LEN + 1); efree(output); } else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') { @@ -209,9 +214,14 @@ PHP_FUNCTION(crypt) + strlen(salt) + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; - php_sha256_crypt_r(str, salt, output, needed); - RETVAL_STRING(output, 1); + crypt_res = php_sha256_crypt_r(str, salt, output, needed); + if (!crypt_res) { + RETVAL_FALSE; + } else { + RETVAL_STRING(output, 1); + } + memset(output, 0, PHP_MAX_SALT_LEN + 1); efree(output); } else if ( @@ -225,14 +235,25 @@ PHP_FUNCTION(crypt) char output[PHP_MAX_SALT_LEN + 1]; memset(output, 0, PHP_MAX_SALT_LEN + 1); - php_crypt_blowfish_rn(str, salt, output, sizeof(output)); - RETVAL_STRING(output, 1); + crypt_res = php_crypt_blowfish_rn(str, salt, output, sizeof(output)); + if (!crypt_res) { + RETVAL_FALSE; + } else { + RETVAL_STRING(output, 1); + } + memset(output, 0, PHP_MAX_SALT_LEN + 1); } else { memset(&buffer, 0, sizeof(buffer)); _crypt_extended_init_r(); - RETURN_STRING(_crypt_extended_r(str, salt, &buffer), 1); + + crypt_res = _crypt_extended_r(str, salt, &buffer); + if (!crypt_res) { + RETURN_FALSE; + } else { + RETURN_STRING(crypt_res, 1); + } } } #else @@ -247,8 +268,12 @@ PHP_FUNCTION(crypt) # else # error Data struct used by crypt_r() is unknown. Please report. # endif - - RETURN_STRING(crypt_r(str, salt, &buffer), 1); + crypt_res = crypt_r(str, salt, &buffer); + if (!crypt_res) { + RETURN_FALSE; + } else { + RETURN_STRING(crypt_res, 1); + } } # endif #endif diff --git a/ext/standard/tests/strings/bug51059.phpt b/ext/standard/tests/strings/bug51059.phpt index 561fc792c4..baf8a12c9c 100644 --- a/ext/standard/tests/strings/bug51059.phpt +++ b/ext/standard/tests/strings/bug51059.phpt @@ -1,7 +1,5 @@ --TEST-- Bug #51059 crypt() segfaults on certain salts ---XFAIL-- -Needs a patch from Pierre --FILE--