summaryrefslogtreecommitdiff
path: root/ext/standard
diff options
context:
space:
mode:
authorNikita Popov <nikic@php.net>2012-06-29 12:47:37 +0200
committerNikita Popov <nikic@php.net>2012-06-29 13:11:43 +0200
commite6cf7d774519300c08399cae5bfba90e33749727 (patch)
tree8f8dc0c5e4e1b63522279c20d51b18470dfd9c6b /ext/standard
parent7e8276ca68fc622124d51d18e4f7b5cde3536de4 (diff)
downloadphp-git-e6cf7d774519300c08399cae5bfba90e33749727.tar.gz
Fix some lengths in crypt()
Use salt_len_in instead of strlen(salt) or PHP_MAX_SALT_LEN, otherwise too much memory will be allocated. sha512 has a 86 character checksum, not 43. That probably was a copy&paste from the sha256 code which indeed has 43. The allocation also was using sizeof(char *), thus allocating 4 or 8 times as much memory as necessary. The sizeof(char *) was removed in the 5.4 branch in b7a92c9 but forgotten on 5.3. The memset 0 call was using PHP_MAX_SALT_LEN which can be smaller than the output buffer and thus not zeroing out everything. Use the size of the output buffer (needed) instead.
Diffstat (limited to 'ext/standard')
-rw-r--r--ext/standard/crypt.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 2eb4fc3678..27a8d82d0e 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -199,8 +199,8 @@ PHP_FUNCTION(crypt)
char *output;
int needed = (sizeof(sha512_salt_prefix) - 1
+ sizeof(sha512_rounds_prefix) + 9 + 1
- + PHP_MAX_SALT_LEN + 1 + 43 + 1);
- output = emalloc(needed * sizeof(char *));
+ + salt_in_len + 1 + 86 + 1);
+ output = emalloc(needed);
salt[salt_in_len] = '\0';
crypt_res = php_sha512_crypt_r(str, salt, output, needed);
@@ -214,7 +214,7 @@ PHP_FUNCTION(crypt)
RETVAL_STRING(output, 1);
}
- memset(output, 0, PHP_MAX_SALT_LEN + 1);
+ memset(output, 0, needed);
efree(output);
} else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') {
const char sha256_salt_prefix[] = "$5$";
@@ -222,8 +222,8 @@ PHP_FUNCTION(crypt)
char *output;
int needed = (sizeof(sha256_salt_prefix) - 1
+ sizeof(sha256_rounds_prefix) + 9 + 1
- + PHP_MAX_SALT_LEN + 1 + 43 + 1);
- output = emalloc(needed * sizeof(char *));
+ + salt_in_len + 1 + 43 + 1);
+ output = emalloc(needed);
salt[salt_in_len] = '\0';
crypt_res = php_sha256_crypt_r(str, salt, output, needed);
@@ -237,7 +237,7 @@ PHP_FUNCTION(crypt)
RETVAL_STRING(output, 1);
}
- memset(output, 0, PHP_MAX_SALT_LEN + 1);
+ memset(output, 0, needed);
efree(output);
} else if (
salt[0] == '$' &&