Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
  Bug #73058 crypt broken when salt is 'too' long

3 files changed, 33 insertions, 8 deletions

diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index bca3bd1363..66b37eb79e 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -204,14 +204,6 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 				salt[1] == '2' &&
 				salt[3] == '$') {
 			char output[PHP_MAX_SALT_LEN + 1];
-			int k = 7;
-
-			while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
-				k++;
-			}
-			if (k != salt_len) {
-				return NULL;
-			}
 
 			memset(output, 0, PHP_MAX_SALT_LEN + 1);
 
diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c
index 3348d0cd27..5cf306715f 100644
--- a/ext/standard/crypt_blowfish.c
+++ b/ext/standard/crypt_blowfish.c
@@ -405,6 +405,10 @@ static int BF_decode(BF_word *dst, const char *src, int size)
 		*dptr++ = ((c3 & 0x03) << 6) | c4;
 	} while (dptr < end);
 
+	if (end - dptr == size) {
+		return -1;
+	}
+
 	while (dptr < end) /* PHP hack */
 		*dptr++ = 0;
 
diff --git a/ext/standard/tests/strings/bug73058.phpt b/ext/standard/tests/strings/bug73058.phpt
new file mode 100644
index 0000000000..f099850213
--- /dev/null
+++ b/ext/standard/tests/strings/bug73058.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Bug #73058 crypt broken when salt is 'too' long
+--SKIPIF--
+<?php
+if (!function_exists('crypt'))) {
+	die("SKIP crypt() is not available");
+}
+?> 
+--FILE--
+<?php
+$pass = 'secret';
+
+$salt = '$2y$07$usesomesillystringforsalt$';
+var_dump(crypt($pass, $salt));
+
+$salt = '$2y$07$usesomesillystringforsaltzzzzzzzzzzzzz$';
+var_dump(crypt($pass, $salt));
+
+$salt = '$2y$07$usesomesillystringforx';
+var_dump(crypt($pass, $salt));
+
+?>
+==OK==
+--EXPECT--
+string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO"
+string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO"
+string(60) "$2y$07$usesomesillystringforuw2Gm1ef7lMsvtzSK2p/14F0q1e8uOCO"
+==OK==
+