gwynne Fri, 17 Jul 2009 14:21:31 +0000 URL: http://svn.php.net/viewvc?view=revision&revision=284267
Changed paths: U php/php-src/trunk/ext/session/session.c A php/php-src/trunk/ext/session/tests/031.phpt Log: fix crash when session hash function generated long hashes with hash_bits_per_character larger than 4 Modified: php/php-src/trunk/ext/session/session.c =================================================================== --- php/php-src/trunk/ext/session/session.c 2009-07-17 14:11:45 UTC (rev 284266) +++ php/php-src/trunk/ext/session/session.c 2009-07-17 14:21:31 UTC (rev 284267) @@ -284,7 +284,7 @@ unsigned char *digest; int digest_len; int j; - char *buf; + char *buf, *outid; struct timeval tv; zval **array; zval **token; @@ -332,6 +332,7 @@ efree(buf); return NULL; } + efree(buf); if (PS(entropy_length) > 0) { int fd; @@ -388,19 +389,15 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); } - if (PS_ID_INITIAL_SIZE < ((digest_len + 2) * (8 / PS(hash_bits_per_character))) ) { - /* 100 bytes is enough for most, but not all hash algos */ - buf = erealloc(buf, (digest_len + 2) * (8 / PS(hash_bits_per_character)) ); - } - - j = (int) (bin_to_readable((char *)digest, digest_len, buf, PS(hash_bits_per_character)) - buf); + outid = emalloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character)) + 0.5)); + j = (int) (bin_to_readable((char *)digest, digest_len, outid, PS(hash_bits_per_character)) - outid); efree(digest); if (newlen) { *newlen = j; } - return buf; + return outid; } /* }}} */ Added: php/php-src/trunk/ext/session/tests/031.phpt =================================================================== --- php/php-src/trunk/ext/session/tests/031.phpt (rev 0) +++ php/php-src/trunk/ext/session/tests/031.phpt 2009-07-17 14:21:31 UTC (rev 284267) @@ -0,0 +1,22 @@ +--TEST-- +setting hash_function to sha512 and hash_bits_per_character > 4 should not crash +--SKIPIF-- +<?php include('skipif.inc'); ?> +--INI-- +session.use_cookies=0 +session.cache_limiter= +session.serialize_handler=php +session.save_handler=files +session.hash_function=sha512 +session.hash_bits_per_character=5 +--FILE-- +<?php +error_reporting(E_ALL); + +session_start(); +session_regenerate_id(TRUE); + +print "I live\n"; +?> +--EXPECT-- +I live
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php