From: ircmaxell Operating system: All PHP version: master-Git-2012-06-28 (Git) Package: Reproducible crash Bug Type: Bug Bug description:Crypt SHA256/512 Segfaults With Malformed Salt
Description: ------------ Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null byte. This is because the emalloc call and the memset call use different length inputs for the `output` string. The memset call then overflows the buffer. Test script: --------------- <?php crypt("foo", '$5$'.chr(0).'abc'); ?> and <?php crypt("foo", '$6$'.chr(0).'abc'); ?> Expected result: ---------------- No output Actual result: -------------- Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256) -- Edit bug report at https://bugs.php.net/bug.php?id=62443&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62443&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62443&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62443&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62443&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62443&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62443&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62443&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62443&r=needscript Try newer version: https://bugs.php.net/fix.php?id=62443&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62443&r=support Expected behavior: https://bugs.php.net/fix.php?id=62443&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62443&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62443&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62443&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62443&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=62443&r=dst IIS Stability: https://bugs.php.net/fix.php?id=62443&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62443&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62443&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=62443&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=62443&r=mysqlcfg