From 37acebcc8cdc94699d6288f2341aa1b482474ea5 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 24 Oct 2017 13:59:18 +0200
Subject: Fixed bug #72535 arcfour encryption stream filter crashes php

---
 ext/mcrypt/mcrypt_filter.c     |  2 +-
 ext/mcrypt/tests/bug72535.phpt | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 ext/mcrypt/tests/bug72535.phpt

diff --git a/ext/mcrypt/mcrypt_filter.c b/ext/mcrypt/mcrypt_filter.c
index cfaf25c3ab..fcb5064713 100644
--- a/ext/mcrypt/mcrypt_filter.c
+++ b/ext/mcrypt/mcrypt_filter.c
@@ -89,7 +89,7 @@ static php_stream_filter_status_t php_mcrypt_filter(
 			php_stream_bucket_delref(bucket TSRMLS_CC);
 		} else {
 			/* Stream cipher */
-			php_stream_bucket_make_writeable(bucket TSRMLS_CC);
+			bucket = php_stream_bucket_make_writeable(bucket TSRMLS_CC);
 			if (data->encrypt) {
 				mcrypt_generic(data->module, bucket->buf, bucket->buflen);
 			} else {
diff --git a/ext/mcrypt/tests/bug72535.phpt b/ext/mcrypt/tests/bug72535.phpt
new file mode 100644
index 0000000000..9e6d8333f9
--- /dev/null
+++ b/ext/mcrypt/tests/bug72535.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #72535 arcfour encryption stream filter crashes php
+--SKIPIF--
+<?php if (!extension_loaded("mcrypt")) print "skip"; ?>
+--FILE--
+<?php
+$passphrase = 'My secret';
+$plaintext = 'Secret secret secret data';
+
+$iv = substr(md5('iv' . $passphrase, true), 0, 8);
+$key = substr(md5('pass1' . $passphrase, true) .
+	              md5('pass2' . $passphrase, true), 0, 24);
+$opts = array('iv' => $iv, 'key' => $key, 'mode' => 'stream');
+
+$expected = substr($plaintext . $plaintext, 0, 48);
+
+$fp = fopen('php://memory', 'wb+');
+stream_filter_append($fp, 'mcrypt.arcfour', STREAM_FILTER_WRITE, $opts);
+fwrite($fp, $plaintext);
+?>
+==NOCRASH==
+--EXPECT--
+==NOCRASH==
-- 
cgit v1.2.1