stas Tue, 20 Apr 2010 00:45:07 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298194
Log: fix 64-bit integer overflow in mhash_keygen_s2k Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/hash/hash.c U php/php-src/trunk/ext/hash/hash.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-04-20 00:18:36 UTC (rev 298193) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-20 00:45:07 UTC (rev 298194) @@ -16,6 +16,7 @@ - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) +- Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) - Fixed bug #51590 (JSON_ERROR_UTF8 is undefined). (Felipe) - Fixed bug #51577 (Uninitialized memory reference with oci_bind_array_by_name) Modified: php/php-src/branches/PHP_5_3/ext/hash/hash.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/hash/hash.c 2010-04-20 00:18:36 UTC (rev 298193) +++ php/php-src/branches/PHP_5_3/ext/hash/hash.c 2010-04-20 00:45:07 UTC (rev 298194) @@ -739,15 +739,17 @@ Generates a key using hash functions */ PHP_FUNCTION(mhash_keygen_s2k) { - long algorithm, bytes; + long algorithm, l_bytes; + int bytes; char *password, *salt; int password_len, salt_len; char padded_salt[SALT_SIZE]; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) { return; } + bytes = (int)l_bytes; if (bytes <= 0){ php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter must be greater than 0"); RETURN_FALSE; Modified: php/php-src/trunk/ext/hash/hash.c =================================================================== --- php/php-src/trunk/ext/hash/hash.c 2010-04-20 00:18:36 UTC (rev 298193) +++ php/php-src/trunk/ext/hash/hash.c 2010-04-20 00:45:07 UTC (rev 298194) @@ -744,15 +744,17 @@ Generates a key using hash functions */ PHP_FUNCTION(mhash_keygen_s2k) { - long algorithm, bytes; + long algorithm, l_bytes; + int bytes; char *password, *salt; int password_len, salt_len; char padded_salt[SALT_SIZE]; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", &algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) { return; } + bytes = (int)l_bytes; if (bytes <= 0){ php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter must be greater than 0"); RETURN_FALSE;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php