diff options
author | Anatol Belski <ab@php.net> | 2016-08-29 20:34:44 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-08-29 20:34:44 +0200 |
commit | 22a825db85070ecb9b7e4e5d6499782500c5eb97 (patch) | |
tree | 2cd3a2e1c73cfdf8bc8b287ff34fa6a8ab436ce8 /ext/standard/crypt.c | |
parent | 722783c2c671353c93acd0718e1481c8969fe561 (diff) | |
parent | 946335ba706b7dbfe70a5fc9a1e74ee46af19cfe (diff) | |
download | php-git-22a825db85070ecb9b7e4e5d6499782500c5eb97.tar.gz |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
Diffstat (limited to 'ext/standard/crypt.c')
-rw-r--r-- | ext/standard/crypt.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index f2f778e764..bb68da082c 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -158,6 +158,14 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch salt[1] == '2' && salt[3] == '$') { char output[PHP_MAX_SALT_LEN + 1]; + int k = 7; + + while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) { + k++; + } + if (k != salt_len) { + return NULL; + } memset(output, 0, PHP_MAX_SALT_LEN + 1); |