php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
Submitted: 2012-06-29 00:02 UTC Modified: 2012-06-29 02:48 UTC
From: ircmaxell@php.net Assigned: ircmaxell
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2012-06-28 (Git) OS: All
Private report: No CVE-ID:
 [2012-06-29 00:02 UTC] ircmaxell@php.net
Description:
------------
Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null byte. 
This is because the emalloc call and the memset call use different length inputs 
for the `output` string.  The memset call then overflows the buffer.

Test script:
---------------
<?php
crypt("foo", '$5$'.chr(0).'abc');
?>

and

<?php
crypt("foo", '$6$'.chr(0).'abc');
?>

Expected result:
----------------
No output

Actual result:
--------------
Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-06-29 00:12 UTC] ircmaxell@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
 [2012-06-29 01:03 UTC] ircmaxell@php.net
Automatic comment on behalf of ircmaxell@ircmaxell.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7e8276ca68fc622124d51d18e4f7b5cde3536de4
Log: Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)
 [2012-06-29 02:48 UTC] ircmaxell@php.net
This has been fixed in the 5.3, 5.4 and master branches.
 [2012-06-29 02:48 UTC] ircmaxell@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 03:02:48 2014 UTC