diff options
author | Anthony Ferrara <ircmaxell@ircmaxell.com> | 2012-06-28 20:00:03 -0400 |
---|---|---|
committer | Anthony Ferrara <ircmaxell@ircmaxell.com> | 2012-06-28 20:00:03 -0400 |
commit | 7e8276ca68fc622124d51d18e4f7b5cde3536de4 (patch) | |
tree | a07d17857faef8f3774da07ae53e922eede6301b | |
parent | 974324676b2436f159f42d9241c569f813471684 (diff) | |
download | php-git-7e8276ca68fc622124d51d18e4f7b5cde3536de4.tar.gz |
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
Fixed a memory allocation bug in crypt() SHA256/512 that can
cause segmentation faults when passed in salts with a null byte
early.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/standard/crypt.c | 4 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug62443.phpt | 9 |
3 files changed, 13 insertions, 2 deletions
@@ -14,6 +14,8 @@ PHP NEWS Stas) . Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent). (Johannes) + . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed + Salt). (Anthony Ferrara) - Fileinfo: . Fixed magic file regex support. (Felipe) diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index e0d90e7e39..2eb4fc3678 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -199,7 +199,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha512_salt_prefix) - 1 + sizeof(sha512_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; @@ -222,7 +222,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha256_salt_prefix) - 1 + sizeof(sha256_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt new file mode 100644 index 0000000000..9e0dc38cfb --- /dev/null +++ b/ext/standard/tests/strings/bug62443.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt +--FILE-- +<?php +crypt("foo", '$5$'.chr(0).'abc'); +crypt("foo", '$6$'.chr(0).'abc'); +echo "OK!"; +--EXPECT-- +OK! |