diff options
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/standard/crypt.c | 4 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug62443.phpt | 9 |
3 files changed, 13 insertions, 2 deletions
@@ -11,6 +11,8 @@ PHP NEWS includes a semi-colon). (Pierrick) . Fixed potential overflow in _php_stream_scandir (CVE-2012-2688). (Jason Powell, Stas) + . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed + Salt). (Anthony Ferrara) - EXIF: . Fixed information leak in ext exif (discovered by Martin Noga, diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 9a1fcf1f69..3ade86a068 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -199,7 +199,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha512_salt_prefix) - 1 + sizeof(sha512_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed); salt[salt_in_len] = '\0'; @@ -222,7 +222,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha256_salt_prefix) - 1 + sizeof(sha256_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed); salt[salt_in_len] = '\0'; diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt new file mode 100644 index 0000000000..9e0dc38cfb --- /dev/null +++ b/ext/standard/tests/strings/bug62443.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt +--FILE-- +<?php +crypt("foo", '$5$'.chr(0).'abc'); +crypt("foo", '$6$'.chr(0).'abc'); +echo "OK!"; +--EXPECT-- +OK! |