[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/hash/hash.c trunk/ext/hash/hash.c

Mon, 19 Apr 2010 17:45:25 -0700 

stas                                     Tue, 20 Apr 2010 00:45:07 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298194

Log:
fix 64-bit integer overflow in mhash_keygen_s2k

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/hash/hash.c
    U   php/php-src/trunk/ext/hash/hash.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-20 00:18:36 UTC (rev 298193)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-20 00:45:07 UTC (rev 298194)
@@ -16,6 +16,7 @@

 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+- Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas)

 - Fixed bug #51590 (JSON_ERROR_UTF8 is undefined). (Felipe)
 - Fixed bug #51577 (Uninitialized memory reference with oci_bind_array_by_name)

Modified: php/php-src/branches/PHP_5_3/ext/hash/hash.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/hash/hash.c        2010-04-20 00:18:36 UTC 
(rev 298193)
+++ php/php-src/branches/PHP_5_3/ext/hash/hash.c        2010-04-20 00:45:07 UTC 
(rev 298194)
@@ -739,15 +739,17 @@
    Generates a key using hash functions */
 PHP_FUNCTION(mhash_keygen_s2k)
 {
-       long algorithm, bytes;
+       long algorithm, l_bytes;
+       int bytes;
        char *password, *salt;
        int password_len, salt_len;
        char padded_salt[SALT_SIZE];

-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", 
&algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", 
&algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) {
                return;
        }

+       bytes = (int)l_bytes;
        if (bytes <= 0){
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter 
must be greater than 0");
                RETURN_FALSE;

Modified: php/php-src/trunk/ext/hash/hash.c
===================================================================
--- php/php-src/trunk/ext/hash/hash.c   2010-04-20 00:18:36 UTC (rev 298193)
+++ php/php-src/trunk/ext/hash/hash.c   2010-04-20 00:45:07 UTC (rev 298194)
@@ -744,15 +744,17 @@
    Generates a key using hash functions */
 PHP_FUNCTION(mhash_keygen_s2k)
 {
-       long algorithm, bytes;
+       long algorithm, l_bytes;
+       int bytes;
        char *password, *salt;
        int password_len, salt_len;
        char padded_salt[SALT_SIZE];

-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", 
&algorithm, &password, &password_len, &salt, &salt_len, &bytes) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "lssl", 
&algorithm, &password, &password_len, &salt, &salt_len, &l_bytes) == FAILURE) {
                return;
        }

+       bytes = (int)l_bytes;
        if (bytes <= 0){
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "the byte parameter 
must be greater than 0");
                RETURN_FALSE;


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to