Commit:    e6cf7d774519300c08399cae5bfba90e33749727
Author:    Nikita Popov <ni...@php.net>         Fri, 29 Jun 2012 12:47:37 +0200
Parents:   7e8276ca68fc622124d51d18e4f7b5cde3536de4
Branches:  PHP-5.3 PHP-5.4 master

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=e6cf7d774519300c08399cae5bfba90e33749727

Log:
Fix some lengths in crypt()

Use salt_len_in instead of strlen(salt) or PHP_MAX_SALT_LEN, otherwise too
much memory will be allocated.

sha512 has a 86 character checksum, not 43. That probably was a copy&paste
from the sha256 code which indeed has 43.

The allocation also was using sizeof(char *), thus allocating 4 or 8 times
as much memory as necessary. The sizeof(char *) was removed in the 5.4
branch in b7a92c9 but forgotten on 5.3.

The memset 0 call was using PHP_MAX_SALT_LEN which can be smaller than the
output buffer and thus not zeroing out everything. Use the size of the
output buffer (needed) instead.

Changed paths:
  M  ext/standard/crypt.c


Diff:
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 2eb4fc3..27a8d82 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -199,8 +199,8 @@ PHP_FUNCTION(crypt)
                        char *output;
                        int needed = (sizeof(sha512_salt_prefix) - 1
                                                + sizeof(sha512_rounds_prefix) 
+ 9 + 1
-                                               + PHP_MAX_SALT_LEN + 1 + 43 + 
1);
-                       output = emalloc(needed * sizeof(char *));
+                                               + salt_in_len + 1 + 86 + 1);
+                       output = emalloc(needed);
                        salt[salt_in_len] = '\0';
 
                        crypt_res = php_sha512_crypt_r(str, salt, output, 
needed);
@@ -214,7 +214,7 @@ PHP_FUNCTION(crypt)
                                RETVAL_STRING(output, 1);
                        }
 
-                       memset(output, 0, PHP_MAX_SALT_LEN + 1);
+                       memset(output, 0, needed);
                        efree(output);
                } else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') {
                        const char sha256_salt_prefix[] = "$5$";
@@ -222,8 +222,8 @@ PHP_FUNCTION(crypt)
                        char *output;
                        int needed = (sizeof(sha256_salt_prefix) - 1
                                                + sizeof(sha256_rounds_prefix) 
+ 9 + 1
-                                               + PHP_MAX_SALT_LEN + 1 + 43 + 
1);
-                       output = emalloc(needed * sizeof(char *));
+                                               + salt_in_len + 1 + 43 + 1);
+                       output = emalloc(needed);
                        salt[salt_in_len] = '\0';
 
                        crypt_res = php_sha256_crypt_r(str, salt, output, 
needed);
@@ -237,7 +237,7 @@ PHP_FUNCTION(crypt)
                                RETVAL_STRING(output, 1);
                        }
 
-                       memset(output, 0, PHP_MAX_SALT_LEN + 1);
+                       memset(output, 0, needed);
                        efree(output);
                } else if (
                                salt[0] == '$' &&


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to