From 8088be390f80642c3b5acea581f24ffeb7f2f238 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 20 Apr 2010 00:45:07 +0000 Subject: [PATCH] fix 64-bit integer overflow in mhash_keygen_s2k --- NEWS | 1 + ext/hash/hash.c | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 51a6f16355..bebc34f25e 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,7 @@ PHP NEWS - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) +- Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) - Fixed bug #51590 (JSON_ERROR_UTF8 is undefined). (Felipe) - Fixed bug #51577 (Uninitialized memory reference with oci_bind_array_by_name) diff --git a/ext/hash/hash.c b/ext/hash/hash.c index 73b0931a01..a86222d803 100644 --- a/ext/hash/hash.c +++ b/ext/hash/hash.c @@ -739,15 +739,17 @@ PHP_FUNCTION(mhash_get_block_size) Generates a key using hash functions */ PHP_FUNCTION(mhash_keygen_s2k) { - long algorithm, bytes; + long algorithm, l_bytes; + int bytes; char *password, *salt; int password_len, salt_len; char padded_salt[SALT_SIZE]; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) { return; } + bytes = (int)l_bytes; if (bytes <= 0){ php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter must be greater than 0"); RETURN_FALSE; -- 2.40.0