summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnatol Belski <ab@php.net>2016-08-29 20:32:55 +0200
committerAnatol Belski <ab@php.net>2016-08-29 20:32:55 +0200
commit946335ba706b7dbfe70a5fc9a1e74ee46af19cfe (patch)
treeba2d6974a5c188f27b307ba38f70d93fab10b096
parent3437dbfa0097d3c5be69d4efb26a2ecb3edf5168 (diff)
parent295303b59059536079caf68b4d76acf2149bd42c (diff)
downloadphp-git-946335ba706b7dbfe70a5fc9a1e74ee46af19cfe.tar.gz
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6: Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
Diffstat
-rw-r--r--ext/standard/crypt.c8
-rw-r--r--ext/standard/tests/strings/bug72703.phpt17
2 files changed, 25 insertions, 0 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 66b37eb79e..bca3bd1363 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -204,6 +204,14 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
salt[1] == '2' &&
salt[3] == '$') {
char output[PHP_MAX_SALT_LEN + 1];
+ int k = 7;
+
+ while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
+ k++;
+ }
+ if (k != salt_len) {
+ return NULL;
+ }
memset(output, 0, PHP_MAX_SALT_LEN + 1);
diff --git a/ext/standard/tests/strings/bug72703.phpt b/ext/standard/tests/strings/bug72703.phpt
new file mode 100644
index 0000000000..5e3bf4875d
--- /dev/null
+++ b/ext/standard/tests/strings/bug72703.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
+--SKIPIF--
+<?php
+if (!function_exists('crypt'))) {
+ die("SKIP crypt() is not available");
+}
+?>
+--FILE--
+<?php
+ var_dump(password_verify("","$2y$10$$"));
+?>
+==OK==
+--EXPECT--
+bool(false)
+==OK==
+
View Lorry Controller Status