stas                                     Mon, 04 Jul 2011 23:38:09 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=312919

Log:
fix crypt() issue with overlong salt

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/crypt.c
    A   
php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_variation1.phpt
    U   php/php-src/branches/PHP_5_4/ext/standard/crypt.c
    A   
php/php-src/branches/PHP_5_4/ext/standard/tests/strings/crypt_variation1.phpt
    A   php/php-src/trunk/ext/standard/tests/strings/crypt_variation1.phpt

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2011-07-04 23:22:24 UTC (rev 312918)
+++ php/php-src/branches/PHP_5_3/NEWS   2011-07-04 23:38:09 UTC (rev 312919)
@@ -4,6 +4,7 @@
 - Core
   . Fixed bug #53727 (Inconsistent behavior of is_subclass_of with interfaces)
     (Ralph Schindler, Dmitry)
+  . Fixed buffer overflow on overlog salt in crypt(). (Clément LECIGNE, Stas)

 - PDO DBlib:
   . Fixed bug #54329 (MSSql extension memory leak).

Modified: php/php-src/branches/PHP_5_3/ext/standard/crypt.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/crypt.c   2011-07-04 23:22:24 UTC 
(rev 312918)
+++ php/php-src/branches/PHP_5_3/ext/standard/crypt.c   2011-07-04 23:38:09 UTC 
(rev 312919)
@@ -179,6 +179,8 @@
                salt[2] = '\0';
 #endif
                salt_in_len = strlen(salt);
+       } else {
+               salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len);
        }

 /* Windows (win32/crypt) has a stripped down version of libxcrypt and

Added: 
php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_variation1.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_variation1.phpt   
                            (rev 0)
+++ 
php/php-src/branches/PHP_5_3/ext/standard/tests/strings/crypt_variation1.phpt   
    2011-07-04 23:38:09 UTC (rev 312919)
@@ -0,0 +1,23 @@
+--TEST--
+crypt() function - long salt
+--SKIPIF--
+<?php
+if (!function_exists('crypt')) {
+       die("SKIP crypt() is not available");
+}
+?>
+--FILE--
+<?php
+
+$b = str_repeat("A", 124);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 125);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 4096);
+echo crypt("A", "$5$" . $b)."\n";
+
+?>
+--EXPECTF--
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6

Modified: php/php-src/branches/PHP_5_4/ext/standard/crypt.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/standard/crypt.c   2011-07-04 23:22:24 UTC 
(rev 312918)
+++ php/php-src/branches/PHP_5_4/ext/standard/crypt.c   2011-07-04 23:38:09 UTC 
(rev 312919)
@@ -179,6 +179,8 @@
                salt[2] = '\0';
 #endif
                salt_in_len = strlen(salt);
+       } else {
+               salt_in_len = MIN(PHP_MAX_SALT_LEN, salt_in_len);
        }

 /* Windows (win32/crypt) has a stripped down version of libxcrypt and

Added: 
php/php-src/branches/PHP_5_4/ext/standard/tests/strings/crypt_variation1.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_4/ext/standard/tests/strings/crypt_variation1.phpt   
                            (rev 0)
+++ 
php/php-src/branches/PHP_5_4/ext/standard/tests/strings/crypt_variation1.phpt   
    2011-07-04 23:38:09 UTC (rev 312919)
@@ -0,0 +1,23 @@
+--TEST--
+crypt() function - long salt
+--SKIPIF--
+<?php
+if (!function_exists('crypt')) {
+       die("SKIP crypt() is not available");
+}
+?>
+--FILE--
+<?php
+
+$b = str_repeat("A", 124);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 125);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 4096);
+echo crypt("A", "$5$" . $b)."\n";
+
+?>
+--EXPECTF--
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6

Added: php/php-src/trunk/ext/standard/tests/strings/crypt_variation1.phpt
===================================================================
--- php/php-src/trunk/ext/standard/tests/strings/crypt_variation1.phpt          
                (rev 0)
+++ php/php-src/trunk/ext/standard/tests/strings/crypt_variation1.phpt  
2011-07-04 23:38:09 UTC (rev 312919)
@@ -0,0 +1,23 @@
+--TEST--
+crypt() function - long salt
+--SKIPIF--
+<?php
+if (!function_exists('crypt')) {
+       die("SKIP crypt() is not available");
+}
+?>
+--FILE--
+<?php
+
+$b = str_repeat("A", 124);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 125);
+echo crypt("A", "$5$" . $b)."\n";
+$b = str_repeat("A", 4096);
+echo crypt("A", "$5$" . $b)."\n";
+
+?>
+--EXPECTF--
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6
+$5$AAAAAAAAAAAAAAAA$frotiiztWZiwcncxnY5tWG9Ida2WOZEximjLXCleQu6

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to