diff options
| author | Nikita Popov <nikic@php.net> | 2012-06-29 12:47:37 +0200 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2012-06-29 13:11:43 +0200 |
| commit | e6cf7d774519300c08399cae5bfba90e33749727 (patch) | |
| tree | 8f8dc0c5e4e1b63522279c20d51b18470dfd9c6b | |
| parent | 7e8276ca68fc622124d51d18e4f7b5cde3536de4 (diff) | |
| download | php-git-e6cf7d774519300c08399cae5bfba90e33749727.tar.gz | |
Fix some lengths in crypt()
Use salt_len_in instead of strlen(salt) or PHP_MAX_SALT_LEN, otherwise too
much memory will be allocated.
sha512 has a 86 character checksum, not 43. That probably was a copy&paste
from the sha256 code which indeed has 43.
The allocation also was using sizeof(char *), thus allocating 4 or 8 times
as much memory as necessary. The sizeof(char *) was removed in the 5.4
branch in b7a92c9 but forgotten on 5.3.
The memset 0 call was using PHP_MAX_SALT_LEN which can be smaller than the
output buffer and thus not zeroing out everything. Use the size of the
output buffer (needed) instead.
| -rw-r--r-- | ext/standard/crypt.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 2eb4fc3678..27a8d82d0e 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -199,8 +199,8 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha512_salt_prefix) - 1 + sizeof(sha512_rounds_prefix) + 9 + 1 - + PHP_MAX_SALT_LEN + 1 + 43 + 1); - output = emalloc(needed * sizeof(char *)); + + salt_in_len + 1 + 86 + 1); + output = emalloc(needed); salt[salt_in_len] = '\0'; crypt_res = php_sha512_crypt_r(str, salt, output, needed); @@ -214,7 +214,7 @@ PHP_FUNCTION(crypt) RETVAL_STRING(output, 1); } - memset(output, 0, PHP_MAX_SALT_LEN + 1); + memset(output, 0, needed); efree(output); } else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') { const char sha256_salt_prefix[] = "$5$"; @@ -222,8 +222,8 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha256_salt_prefix) - 1 + sizeof(sha256_rounds_prefix) + 9 + 1 - + PHP_MAX_SALT_LEN + 1 + 43 + 1); - output = emalloc(needed * sizeof(char *)); + + salt_in_len + 1 + 43 + 1); + output = emalloc(needed); salt[salt_in_len] = '\0'; crypt_res = php_sha256_crypt_r(str, salt, output, needed); @@ -237,7 +237,7 @@ PHP_FUNCTION(crypt) RETVAL_STRING(output, 1); } - memset(output, 0, PHP_MAX_SALT_LEN + 1); + memset(output, 0, needed); efree(output); } else if ( salt[0] == '$' && |