php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61124 Segmentation fault
Submitted: 2012-02-17 17:11 UTC Modified: 2012-02-23 01:28 UTC
From: mangirdas at impresspages dot org Assigned: scottmac
Status: Closed Package: OpenSSL related
PHP Version: 5.3.10 OS: CentOS release 5.7 (Final)
Private report: No CVE-ID:
 [2012-02-17 17:11 UTC] mangirdas at impresspages dot org
Description:
------------
This function throws a segmentation fault:

openssl_decrypt ('kzo w2RMExUTYQXW2Xzxmg==', 'aes-128-cbc', 'pass', $rawOutput, 
'pass');

Test script:
---------------
<?php
openssl_decrypt ('kzo w2RMExUTYQXW2Xzxmg==', 'aes-128-cbc', 'pass', $rawOutput, 
'pass');

Expected result:
----------------
FALSE, because encrypted string is incorrect.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-17 17:35 UTC] rasmus@php.net
Confirmed

It would help to mention that this gives this warning:

Warning: openssl_decrypt(): IV passed is only 4 bytes long, cipher expects an IV 
of precisely 16 bytes, padding with \0

which is probably the cause here. The buffer we pass in is not large enough to 
fit the IV.

A quick hack which fixes the segfault:


--- ext/openssl/openssl.c	(revision 323261)
+++ ext/openssl/openssl.c	(working copy)
@@ -4819,7 +4819,7 @@
 	free_iv = php_openssl_validate_iv(&iv, &iv_len, 
EVP_CIPHER_iv_length(cipher_type) TSRMLS_CC);
 
 	outlen = data_len + EVP_CIPHER_block_size(cipher_type);
-	outbuf = emalloc(outlen + 1);
+	outbuf = emalloc(outlen + 16);
 
 	EVP_DecryptInit(&cipher_ctx, cipher_type, NULL, NULL);
 	if (password_len > keylen) {

but it obviously isn't the right solution.
 [2012-02-18 00:53 UTC] me at ktamura dot com
FYI...the said "hacky" patch of adding 16 as opposed to 1 bytes do not solve the 
problem for PHP 5.3.8 built with --enable-debug and --with-openssl --without-iconv 
options on snow leopard.
 [2012-02-18 01:02 UTC] me at ktamura dot com
I feel that the real issue is that there is no input check on the first argument of 
openssl_decrypt. Looking at http://linux.die.net/man/3/evp_decryptupdate it is 
unclear what the expected behavior is if you feed invalid input into 
EVP_DecryptUpdate. Perhaps we can do input validation?
 [2012-02-18 04:39 UTC] me at ktamura dot com
I think I know why. Basically, when the input data is malformed but $raw_input is set to false, we get a null pointer. Here is a suggested patch (Also available at https://gist.github.com/1857431)

Index: ext/openssl/openssl.c
===================================================================
--- ext/openssl/openssl.c   (revision 323312)
+++ ext/openssl/openssl.c   (working copy)
@@ -4801,6 +4801,11 @@
        base64_str = (char*)php_base64_decode((unsigned char*)data, data_len, &base64_str_len);
        data_len = base64_str_len;
        data = base64_str;
+        
+        if (data == NULL) {
+            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode the base64 input");
+            RETURN_FALSE;
+        }
    }

    keylen = EVP_CIPHER_key_length(cipher_type);
 [2012-02-22 11:50 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2012-02-22 18:55 UTC] johannes@php.net
-Assigned To: pajoye +Assigned To: scottmac
 [2012-02-22 18:55 UTC] johannes@php.net
Scott said he'd look into it :-)
 [2012-02-23 01:26 UTC] scottmac@php.net
Automatic comment from SVN on behalf of scottmac
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323440
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
 [2012-02-23 01:28 UTC] scottmac@php.net
-Status: Assigned +Status: Closed
 [2012-02-23 01:28 UTC] scottmac@php.net
Thanks, Fixed in 5.3, 5.4 and trunk.
 [2012-02-25 13:27 UTC] odoucet@php.net
Automatic comment from SVN on behalf of odoucet
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323509
Log: test for bug #61124
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of scottmac
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c331093b4a87698bd60a4934a688d9bfb64a99f
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of scottmac
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c331093b4a87698bd60a4934a688d9bfb64a99f
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of scottmac
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c331093b4a87698bd60a4934a688d9bfb64a99f
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC