Edit report at https://bugs.php.net/bug.php?id=62443&edit=1
ID: 62443
Updated by: ircmax...@php.net
Reported by: ircmax...@php.net
Summary: Crypt SHA256/512 Segfaults With Malformed Salt
-Status: Open
+Status: Assigned
Type: Bug
Package: Reproducible crash
Operating System: All
PHP Version: master-Git-2012-06-28 (Git)
-Assigned To:
+Assigned To: ircmaxell
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2012-06-29 00:02:33] ircmax...@php.net
Description:
------------
Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null
byte.
This is because the emalloc call and the memset call use different length
inputs
for the `output` string. The memset call then overflows the buffer.
Test script:
---------------
<?php
crypt("foo", '$5$'.chr(0).'abc');
?>
and
<?php
crypt("foo", '$6$'.chr(0).'abc');
?>
Expected result:
----------------
No output
Actual result:
--------------
Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62443&edit=1
