From da3b899dd8023bc7590af8852270dcc035c19fe8 Mon Sep 17 00:00:00 2001
From: Sascha Schumann <sas@php.net>
Date: Sun, 1 Jul 2001 11:20:56 +0000
Subject: [PATCH] mhash_keygen_s2k() overwrote the limits of a statically
 allocated buffer for long salts.  We truncate the salt now appropiately.

PR: #11817
---
 ext/mhash/mhash.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ext/mhash/mhash.c b/ext/mhash/mhash.c
index 75d86c5bbf..70d0dda27b 100644
--- a/ext/mhash/mhash.c
+++ b/ext/mhash/mhash.c
@@ -225,7 +225,7 @@ PHP_FUNCTION(mhash_keygen_s2k)
 	password = Z_STRVAL_PP(input_password);
 	password_len = Z_STRLEN_PP(input_password);
 
-	salt_len = Z_STRLEN_PP(input_salt);
+	salt_len = MIN(Z_STRLEN_PP(input_salt), SALT_SIZE);
 
 	if (salt_len > mhash_get_keygen_salt_size(KEYGEN_S2K_SALTED)) {
 		sprintf( error, "The specified salt [%d] is more bytes than the required by the algorithm [%d]\n", salt_len, mhash_get_keygen_salt_size(KEYGEN_S2K_SALTED));
@@ -233,8 +233,9 @@ PHP_FUNCTION(mhash_keygen_s2k)
 		php_error(E_WARNING, error);
 	}
 
-	memset( salt, 0, SALT_SIZE);
-	memcpy( salt, Z_STRVAL_PP(input_salt), salt_len);
+	memcpy(salt, Z_STRVAL_PP(input_salt), salt_len);
+	if (salt_len < SALT_SIZE)
+		memset(salt + salt_len, 0, SALT_SIZE - salt_len);
 	salt_len=SALT_SIZE;
 	
 /*	if (salt_len==0) {
-- 
2.40.0