|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75221 Argon2i always throws NUL at the end
Submitted: 2017-09-18 09:40 UTC Modified: 2017-10-12 10:58 UTC
Avg. Score:3.0 ± 2.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: phpdoc at mail dot my1 dot info Assigned: cmb (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 7.2.0RC2 OS: Win8.1 x64
Private report: No CVE-ID: None
 [2017-09-18 09:40 UTC] phpdoc at mail dot my1 dot info
for some reason using argon2i as a hash algorithm, it always dumps out a NUL byte at the end which doesnt happen with bcrypt.

I just use the PHP7.2-RC2 x64-nts from on a webserver using cgi

Test script:
header("Content-type: text/plain");
  'memory_cost' => 16384, // 16 Mb
  'time_cost'   => 2,
  'threads'     => 4,]);
echo  $pwhash;

  "cost"=> 10]);
  echo $pwhash2;

Expected result:
that it wont dump a NUL at the end

Actual result:
it does throw a NUL byte at the end.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-18 09:56 UTC] phpdoc at mail dot my1 dot info
by the way, password_verify, doesnt care whether the NUL exists.

the test script can be expanded by:

 [2017-09-18 12:57 UTC]
-Status: Open +Status: Verified
 [2017-09-18 12:57 UTC]
The problem appears to be that argon2_encodedlen() returns the
length of the resulting string including the trailing NUL byte
(i.e. strlen()+1). However, zend_string_alloc() wants the length
of the string without trailing NUL.

See <>.
 [2017-10-12 10:57 UTC]
Automatic comment on behalf of
Log: Fixed bug #75221 (Argon2i always throws NUL at the end)
 [2017-10-12 10:57 UTC]
-Status: Verified +Status: Closed
 [2017-10-12 10:58 UTC]
-Assigned To: +Assigned To: cmb
 [2017-10-25 08:13 UTC] phpdoc at mail dot my1 dot info
I can confirm this fixed as of RC5
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC