Commit: 7e8276ca68fc622124d51d18e4f7b5cde3536de4 Author: Anthony Ferrara <ircmax...@ircmaxell.com> Thu, 28 Jun 2012 20:00:03 -0400 Parents: 974324676b2436f159f42d9241c569f813471684 Branches: PHP-5.3 PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=7e8276ca68fc622124d51d18e4f7b5cde3536de4 Log: Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt) Fixed a memory allocation bug in crypt() SHA256/512 that can cause segmentation faults when passed in salts with a null byte early. Bugs: https://bugs.php.net/62443 Changed paths: M NEWS M ext/standard/crypt.c A ext/standard/tests/strings/bug62443.phpt Diff: diff --git a/NEWS b/NEWS index 520aa19..80d56bc 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,8 @@ PHP NEWS Stas) . Fixed bug #62432 (ReflectionMethod random corrupt memory on high concurrent). (Johannes) + . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed + Salt). (Anthony Ferrara) - Fileinfo: . Fixed magic file regex support. (Felipe) diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index e0d90e7..2eb4fc3 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -199,7 +199,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha512_salt_prefix) - 1 + sizeof(sha512_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; @@ -222,7 +222,7 @@ PHP_FUNCTION(crypt) char *output; int needed = (sizeof(sha256_salt_prefix) - 1 + sizeof(sha256_rounds_prefix) + 9 + 1 - + strlen(salt) + 1 + 43 + 1); + + PHP_MAX_SALT_LEN + 1 + 43 + 1); output = emalloc(needed * sizeof(char *)); salt[salt_in_len] = '\0'; diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt new file mode 100644 index 0000000..9e0dc38 --- /dev/null +++ b/ext/standard/tests/strings/bug62443.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt +--FILE-- +<?php +crypt("foo", '$5$'.chr(0).'abc'); +crypt("foo", '$6$'.chr(0).'abc'); +echo "OK!"; +--EXPECT-- +OK! -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php