gwynne          Fri, 17 Jul 2009 14:21:59 +0000

URL: http://svn.php.net/viewvc?view=revision&revision=284268

Changed paths:
        U   php/php-src/branches/PHP_5_3/ext/session/session.c
        A   php/php-src/branches/PHP_5_3/ext/session/tests/031.phpt

Log:
MFH: fix crash when session hash function generated long hashes with
hash_bits_per_character larger than 4

Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/session/session.c  2009-07-17 14:21:31 UTC 
(rev 284267)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c  2009-07-17 14:21:59 UTC 
(rev 284268)
@@ -347,7 +347,6 @@
 }
 /* }}} */

-#define PS_ID_INITIAL_SIZE     100
 PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 {
        PHP_MD5_CTX md5_context;
@@ -358,7 +357,7 @@
        unsigned char *digest;
        int digest_len;
        int j;
-       char *buf;
+       char *buf, *outid;
        struct timeval tv;
        zval **array;
        zval **token;
@@ -406,6 +405,7 @@
                        efree(buf);
                        return NULL;
        }
+       efree(buf);

        if (PS(entropy_length) > 0) {
                int fd;
@@ -461,20 +461,16 @@

                php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting 
hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for 
now");
        }
-
-       if (PS_ID_INITIAL_SIZE < ((digest_len + 2) * (8 / 
PS(hash_bits_per_character))) ) {
-               /* 100 bytes is enough for most, but not all hash algos */
-               buf = erealloc(buf, (digest_len + 2) * (8 / 
PS(hash_bits_per_character)) );
-       }
-
-       j = (int) (bin_to_readable((char *)digest, digest_len, buf, 
PS(hash_bits_per_character)) - buf);
+
+       outid = emalloc((digest_len + 2) * ((8.0f / 
PS(hash_bits_per_character)) + 0.5));
+       j = (int) (bin_to_readable((char *)digest, digest_len, outid, 
PS(hash_bits_per_character)) - outid);
        efree(digest);

        if (newlen) {
                *newlen = j;
        }

-       return buf;
+       return outid;
 }
 /* }}} */


Added: php/php-src/branches/PHP_5_3/ext/session/tests/031.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/ext/session/tests/031.phpt                     
        (rev 0)
+++ php/php-src/branches/PHP_5_3/ext/session/tests/031.phpt     2009-07-17 
14:21:59 UTC (rev 284268)
@@ -0,0 +1,22 @@
+--TEST--
+setting hash_function to sha512 and hash_bits_per_character > 4 should not 
crash
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--INI--
+session.use_cookies=0
+session.cache_limiter=
+session.serialize_handler=php
+session.save_handler=files
+session.hash_function=sha512
+session.hash_bits_per_character=5
+--FILE--
+<?php
+error_reporting(E_ALL);
+
+session_start();
+session_regenerate_id(TRUE);
+
+print "I live\n";
+?>
+--EXPECT--
+I live

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to