Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)

Fixed a memory allocation bug in crypt() SHA256/512 that can
cause segmentation faults when passed in salts with a null byte
early.

3 files changed, 13 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 520aa192f2..80d56bc7f8 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
     Stas)
   . Fixed bug #62432 (ReflectionMethod random corrupt memory on high
     concurrent). (Johannes)
+  . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed 
+    Salt). (Anthony Ferrara)
 
 - Fileinfo:
   . Fixed magic file regex support. (Felipe)
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index e0d90e7e39..2eb4fc3678 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -199,7 +199,7 @@ PHP_FUNCTION(crypt)
 			char *output;
 			int needed = (sizeof(sha512_salt_prefix) - 1
 						+ sizeof(sha512_rounds_prefix) + 9 + 1
-						+ strlen(salt) + 1 + 43 + 1);
+						+ PHP_MAX_SALT_LEN + 1 + 43 + 1);
 			output = emalloc(needed * sizeof(char *));
 			salt[salt_in_len] = '\0';
 
@@ -222,7 +222,7 @@ PHP_FUNCTION(crypt)
 			char *output;
 			int needed = (sizeof(sha256_salt_prefix) - 1
 						+ sizeof(sha256_rounds_prefix) + 9 + 1
-						+ strlen(salt) + 1 + 43 + 1);
+						+ PHP_MAX_SALT_LEN + 1 + 43 + 1);
 			output = emalloc(needed * sizeof(char *));
 			salt[salt_in_len] = '\0';
 
diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt
new file mode 100644
index 0000000000..9e0dc38cfb
--- /dev/null
+++ b/ext/standard/tests/strings/bug62443.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
+--FILE--
+<?php
+crypt("foo", '$5$'.chr(0).'abc');
+crypt("foo", '$6$'.chr(0).'abc');
+echo "OK!";
+--EXPECT--
+OK!