Edit report at https://bugs.php.net/bug.php?id=61124&edit=1
ID: 61124 Updated by: scott...@php.net Reported by: mangirdas at impresspages dot org Summary: Segmentation fault -Status: Assigned +Status: Closed Type: Bug Package: OpenSSL related Operating System: CentOS release 5.7 (Final) PHP Version: 5.3.10 Assigned To: scottmac Block user comment: N Private report: N New Comment: Thanks, Fixed in 5.3, 5.4 and trunk. Previous Comments: ------------------------------------------------------------------------ [2012-02-23 01:26:43] scott...@php.net Automatic comment from SVN on behalf of scottmac Revision: http://svn.php.net/viewvc/?view=revision&revision=323440 Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string). ------------------------------------------------------------------------ [2012-02-22 18:55:26] johan...@php.net Scott said he'd look into it :-) ------------------------------------------------------------------------ [2012-02-18 04:39:27] me at ktamura dot com I think I know why. Basically, when the input data is malformed but $raw_input is set to false, we get a null pointer. Here is a suggested patch (Also available at https://gist.github.com/1857431) Index: ext/openssl/openssl.c =================================================================== --- ext/openssl/openssl.c (revision 323312) +++ ext/openssl/openssl.c (working copy) @@ -4801,6 +4801,11 @@ base64_str = (char*)php_base64_decode((unsigned char*)data, data_len, &base64_str_len); data_len = base64_str_len; data = base64_str; + + if (data == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode the base64 input"); + RETURN_FALSE; + } } keylen = EVP_CIPHER_key_length(cipher_type); ------------------------------------------------------------------------ [2012-02-18 01:02:48] me at ktamura dot com I feel that the real issue is that there is no input check on the first argument of openssl_decrypt. Looking at http://linux.die.net/man/3/evp_decryptupdate it is unclear what the expected behavior is if you feed invalid input into EVP_DecryptUpdate. Perhaps we can do input validation? ------------------------------------------------------------------------ [2012-02-18 00:53:01] me at ktamura dot com FYI...the said "hacky" patch of adding 16 as opposed to 1 bytes do not solve the problem for PHP 5.3.8 built with --enable-debug and --with-openssl --without-iconv options on snow leopard. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=61124 -- Edit this bug report at https://bugs.php.net/bug.php?id=61124&edit=1
