|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
Submitted: 2012-06-29 00:02 UTC Modified: 2012-06-29 02:48 UTC
From: Assigned: ircmaxell
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2012-06-28 (Git) OS: All
Private report: No CVE-ID:
 [2012-06-29 00:02 UTC]
Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null byte. 
This is because the emalloc call and the memset call use different length inputs 
for the `output` string.  The memset call then overflows the buffer.

Test script:
crypt("foo", '$5$'.chr(0).'abc');


crypt("foo", '$6$'.chr(0).'abc');

Expected result:
No output

Actual result:
Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-29 00:12 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
 [2012-06-29 01:03 UTC]
Automatic comment on behalf of
Log: Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
 [2012-06-29 02:48 UTC]
This has been fixed in the 5.3, 5.4 and master branches.
 [2012-06-29 02:48 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 03:02:48 2014 UTC