[PHP-BUG] Bug #62443 [NEW]: Crypt SHA256/512 Segfaults With Malformed Salt

Thu, 28 Jun 2012 17:02:59 -0700 

From:             ircmaxell
Operating system: All
PHP version:      master-Git-2012-06-28 (Git)
Package:          Reproducible crash
Bug Type:         Bug
Bug description:Crypt SHA256/512 Segfaults With Malformed Salt

Description:
------------
Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null
byte. 
This is because the emalloc call and the memset call use different length
inputs 
for the `output` string.  The memset call then overflows the buffer.

Test script:
---------------
<?php
crypt("foo", '$5$'.chr(0).'abc');
?>

and

<?php
crypt("foo", '$6$'.chr(0).'abc');
?>

Expected result:
----------------
No output

Actual result:
--------------
Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256)

-- 
Edit bug report at https://bugs.php.net/bug.php?id=62443&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=62443&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=62443&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=62443&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=62443&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=62443&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=62443&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=62443&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=62443&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=62443&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=62443&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=62443&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=62443&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=62443&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=62443&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=62443&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=62443&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=62443&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=62443&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=62443&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=62443&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=62443&r=mysqlcfg

Reply via email to