php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49738 calling mcrypt after mcrypt_generic_deinit crashes
Submitted: 2009-10-01 16:17 UTC Modified: 2009-10-02 00:16 UTC
From: terrafrost@php.net Assigned: srinatar
Status: Closed Package: mcrypt related
PHP Version: 5.2.11 OS: Windows XP
Private report: No CVE-ID:
 [2009-10-01 16:17 UTC] terrafrost@php.net
Description:
------------
In bug # 41252, it was observed that, in PHP4, calling mcrypt_generic() before calling mcrypt_module_open() would cause PHP4 to crash.  PHP5 apparently had extra checks to protect against this that were backported.  These extra checks, however, do not appear to be sufficient, as the following reproduce code demonstrates.

Sure, calling mcrypt_generic_deinit() before calling mcrypt_generic is probably not something you ought to be doing, anyway, but I still don't think it ought to crash PHP.

Reproduce code:
---------------
<?php
$td = mcrypt_module_open(MCRYPT_DES, '', MCRYPT_MODE_ECB, '');
mcrypt_generic_init($td, 'aaaaaaaa', 'aaaaaaaa');
mcrypt_generic_deinit($td);
echo mcrypt_generic($td, 'aaaaaaaa');
?>

Expected result:
----------------
Warning: mcrypt_generic(): Operation disallowed prior to
mcrypt_generic_init() in {filename} on line 5


Actual result:
--------------
It crashes.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-01 16:19 UTC] jani@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2009-10-01 19:58 UTC] srinatar@php.net
thanks for reporting this issue. 

i was able to reproduce this and here is the back trace

current thread: t@1
  [1] permute_ip(0x8c6fa70, 0x0, 0x8046588, 0xfeeec5ea), at 0xfeeeca3e
  [2] des_LTX__mcrypt_encrypt(0x0, 0x8c6fa70, 0x0, 0xfeef00b2), at 0xfeeec603
  [3] ecb_LTX__mcrypt(0x0, 0x8c6fa70, 0x8, 0x8, 0x0, 0xfeeec5dc, 0xfeeec7dc, 0xfeee6732), at 0xfeef0153
  [4] mcrypt(0x8dfcd20, 0x0, 0x8c6fa70, 0x8, 0x8046678), at 0xfeee676f
=>[5] mcrypt_generic(0x8dfcd20, 0x8c6fa70, 0x8), at 0xfeee50a0
  [6] zif_mcrypt_generic(ht = 2, return_value = 0x8c6f938, return_value_ptr = (nil), this_ptr = (nil), return_value_used = 1), line 682 in "mcrypt.c"
  [7] zend_do_fcall_common_helper_SPEC(execute_data = 0x8dfcf60), line 313 in "zend_vm_execute.h"
  [8] ZEND_DO_FCALL_SPEC_CONST_HANDLER(execute_data = 0x8dfcf60), line 1602 in "zend_vm_execute.h"
  [9] execute(op_array = 0x8c6f098), line 104 in "zend_vm_execute.h"
  [10] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ... = (nil), ...), line 1188 in "zend.c"
  [11] php_execute_script(primary_file = 0x8047140), line 2214 in "main.c"
  [12] main(argc = 2, argv = 0x80471bc), line 1190 in "php_cli.c"

here is why this issue is happening

when mcrypt_generic_deinit is invoked , we should set init = 0 so that next request of mcrypt_generic will force user to invoke generic_init again.

here is a patch that can address this bug
[sriramn@sriramn]'PHP_5_3'>svn diff
Index: ext/mcrypt/mcrypt.c
===================================================================
--- ext/mcrypt/mcrypt.c (revision 289068)
+++ ext/mcrypt/mcrypt.c (working copy)
@@ -780,6 +780,7 @@
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not terminate encryption specifier");
                RETURN_FALSE
        }
+       pm->init = 0;
        RETURN_TRUE
 }
 /* }}} */


 [2009-10-02 00:13 UTC] svn@php.net
Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&revision=289076
Log: - Fixed bug #49738 (calling mcrypt after mcrypt_generic_deinit crashes).
 [2009-10-02 00:16 UTC] srinatar@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-10-09 17:28 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=289433
Log: - Merge: Fixed bug #49738 (calling mcrypt after mcrypt_generic_deinit crashes)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC