|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2017-04-10 10:19 UTC] hboomsma at hostnet dot nl
Description: ------------ When using the output of bin2hex(random_bytes) in a openssl_seal, segaults starts occurring. We got around this problem in our source by prepending an 'A' to the random bytes before calling bin2hex on them. Crashed on all versions supporting random_bytes: https://3v4l.org/lrLgW Test script: --------------- <?php define( 'KEY', <<<'KEY' -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqvjCLfpS0MyilIjR+IsH HPH8TqFUCw4kTAVmTy9SDZV9hHYY2EPgrlTd7gvMP/DWipvBD6Y5w2bPdAQoXr5D qEKAGkE+1El4hS8XyuOdYXSYTDH1HPSlFiGdgsnlkFcbh/fJyzIKBaGLnWxsjhiS deiI7KuEkI9zt+X2r4KqFt/dhnXz0kcB1M7qyhQ6Rvijgjy/A1LsN4ZAREFLCEjb 1AP9nk0QAUHWcG5MvbgsE20Pn4R5wFsMFBTvNmb34jHFREgR9j4DYcV5FFR3tKb8 3XtjE9/kjfK29BSpiyXZs8PSqDhO00vh6txUB4VfkVUD2Bi93rxDeyALnCW7My+l YwIDAQAB -----END PUBLIC KEY----- KEY ); $bytes = random_bytes(32); $iv = ''; for ($i = 0; $i < 100; $i++) { openssl_seal(bin2hex($bytes), $sealed_data, $env_keys, [KEY], 'AES256', $iv); \ob_end_clean(); } Expected result: ---------------- no output and no crash Actual result: -------------- Notice: P ��� in /in/lrLgW on line 22 Process exited with code 139. PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 16 09:01:25 2025 UTC |
This causes an invalid write on openssl.c:5900 (buf[len1 + len2] = '\0';), possibly because data_len is -1, possibly a mistake from upgrade to ng ... diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 556e377081..79884e26c6 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5833,6 +5833,8 @@ PHP_FUNCTION(openssl_seal) RETURN_FALSE; } + data_len++; + PHP_OPENSSL_CHECK_SIZE_T_TO_INT(data_len, data); if (method) { Possibly ... but we should wait for someone with more of a clue, I'm scared of openssl ...