bug62443.phpt

Anthony Ferrara Thu, 28 Jun 2012 18:03:49 -0700

Commit:    7e8276ca68fc622124d51d18e4f7b5cde3536de4
Author:    Anthony Ferrara <ircmax...@ircmaxell.com>         Thu, 28 Jun 2012 
20:00:03 -0400
Parents:   974324676b2436f159f42d9241c569f813471684
Branches:  PHP-5.3 PHP-5.4 master


Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=7e8276ca68fc622124d51d18e4f7b5cde3536de4

Log:
Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)

Fixed a memory allocation bug in crypt() SHA256/512 that can
cause segmentation faults when passed in salts with a null byte
early.

Bugs:
https://bugs.php.net/62443

Changed paths:
  M  NEWS
  M  ext/standard/crypt.c
  A  ext/standard/tests/strings/bug62443.phpt


Diff:
diff --git a/NEWS b/NEWS
index 520aa19..80d56bc 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ PHP                                                           
             NEWS
     Stas)
   . Fixed bug #62432 (ReflectionMethod random corrupt memory on high
     concurrent). (Johannes)
+  . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed 
+    Salt). (Anthony Ferrara)
 
 - Fileinfo:
   . Fixed magic file regex support. (Felipe)
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index e0d90e7..2eb4fc3 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -199,7 +199,7 @@ PHP_FUNCTION(crypt)
                        char *output;
                        int needed = (sizeof(sha512_salt_prefix) - 1
                                                + sizeof(sha512_rounds_prefix) 
+ 9 + 1
-                                               + strlen(salt) + 1 + 43 + 1);
+                                               + PHP_MAX_SALT_LEN + 1 + 43 + 
1);
                        output = emalloc(needed * sizeof(char *));
                        salt[salt_in_len] = '\0';
 
@@ -222,7 +222,7 @@ PHP_FUNCTION(crypt)
                        char *output;
                        int needed = (sizeof(sha256_salt_prefix) - 1
                                                + sizeof(sha256_rounds_prefix) 
+ 9 + 1
-                                               + strlen(salt) + 1 + 43 + 1);
+                                               + PHP_MAX_SALT_LEN + 1 + 43 + 
1);
                        output = emalloc(needed * sizeof(char *));
                        salt[salt_in_len] = '\0';
 
diff --git a/ext/standard/tests/strings/bug62443.phpt 
b/ext/standard/tests/strings/bug62443.phpt
new file mode 100644
index 0000000..9e0dc38
--- /dev/null
+++ b/ext/standard/tests/strings/bug62443.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
+--FILE--
+<?php
+crypt("foo", '$5$'.chr(0).'abc');
+crypt("foo", '$6$'.chr(0).'abc');
+echo "OK!";
+--EXPECT--
+OK!


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] com php-src: Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt): NEWS ext/standard/crypt.c ext/standard/tests/strings/bug62443.phpt

Reply via email to