diff options
author | Anatol Belski <ab@php.net> | 2016-08-29 20:25:34 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-08-29 20:25:34 +0200 |
commit | 295303b59059536079caf68b4d76acf2149bd42c (patch) | |
tree | 26a6a80cf859d709b2deb19e0e18d1f9dce099c1 | |
parent | 1a840b9af0117f6ac4c2030dc0f8c562a0f453ba (diff) | |
download | php-git-295303b59059536079caf68b4d76acf2149bd42c.tar.gz |
Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
-rw-r--r-- | ext/standard/crypt.c | 8 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug72703.phpt | 17 |
2 files changed, 25 insertions, 0 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 1b83d6e127..10f19ff113 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -201,6 +201,14 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt, salt[5] >= '0' && salt[5] <= '9' && salt[6] == '$') { char output[PHP_MAX_SALT_LEN + 1]; + int k = 7; + + while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) { + k++; + } + if (k != salt_len) { + return FAILURE; + } memset(output, 0, PHP_MAX_SALT_LEN + 1); diff --git a/ext/standard/tests/strings/bug72703.phpt b/ext/standard/tests/strings/bug72703.phpt new file mode 100644 index 0000000000..5e3bf4875d --- /dev/null +++ b/ext/standard/tests/strings/bug72703.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify +--SKIPIF-- +<?php +if (!function_exists('crypt'))) { + die("SKIP crypt() is not available"); +} +?> +--FILE-- +<?php + var_dump(password_verify("","$2y$10$$")); +?> +==OK== +--EXPECT-- +bool(false) +==OK== + |