Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0: Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
2024-09-22 18:37:25 +00:00 · 2016-08-29 20:34:44 +02:00 · 2016-08-29 20:34:44 +02:00 · 22a825db85
commit 22a825db85
parent 722783c2c6 946335ba70
2 changed files with 25 additions and 0 deletions
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@ -158,6 +158,14 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 				salt[1] == '2' &&
 				salt[3] == '$') {
 			char output[PHP_MAX_SALT_LEN + 1];
+			int k = 7;
+
+			while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
+				k++;
+			}
+			if (k != salt_len) {
+				return NULL;
+			}

 			memset(output, 0, PHP_MAX_SALT_LEN + 1);

--- a/ext/standard/tests/strings/bug72703.phpt
+++ b/ext/standard/tests/strings/bug72703.phpt
@ -0,0 +1,17 @@
+--TEST--
+Bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
+--SKIPIF--
+<?php
+if (!function_exists('crypt'))) {
+	die("SKIP crypt() is not available");
+}
+?> 
+--FILE--
+<?php
+	var_dump(password_verify("","$2y$10$$"));
+?>
+==OK==
+--EXPECT--
+bool(false)
+==OK==
+