Edit report at https://bugs.php.net/bug.php?id=62443&edit=1
ID: 62443 Updated by: ircmax...@php.net Reported by: ircmax...@php.net Summary: Crypt SHA256/512 Segfaults With Malformed Salt -Status: Assigned +Status: Closed Type: Bug Package: Reproducible crash Operating System: All PHP Version: master-Git-2012-06-28 (Git) Assigned To: ircmaxell Block user comment: N Private report: N New Comment: This has been fixed in the 5.3, 5.4 and master branches. Previous Comments: ------------------------------------------------------------------------ [2012-06-29 01:03:13] ircmax...@php.net Automatic comment on behalf of ircmax...@ircmaxell.com Revision: http://git.php.net/?p=php-src.git;a=commit;h=7e8276ca68fc622124d51d18e4f7b5cde3536de4 Log: Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt) ------------------------------------------------------------------------ [2012-06-29 00:02:33] ircmax...@php.net Description: ------------ Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null byte. This is because the emalloc call and the memset call use different length inputs for the `output` string. The memset call then overflows the buffer. Test script: --------------- <?php crypt("foo", '$5$'.chr(0).'abc'); ?> and <?php crypt("foo", '$6$'.chr(0).'abc'); ?> Expected result: ---------------- No output Actual result: -------------- Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256) ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=62443&edit=1
