clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 02:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #35496 (Crash in mcrypt_generic()/mdecrypt_generic() without

Browse Source 
proper init).
This commit is contained in:
Ilia Alshanetsky 2005-11-30 23:51:25 +00:00
parent 9c2183f622
commit ae07423bcd
3 changed files with 71 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -17,6 +17,8 @@ PHP NEWS
. Added methods getNamespaces(), getDocNamespaces()
- Fixed crash and leak in mysqli when using 4.1.x client libraries and
connecting to 5.x server. (Andrey)
- Fixed bug #35496 (Crash in mcrypt_generic()/mdecrypt_generic() without
proper init). (Ilia)
- Fixed bug #35470 (Assigning global using variable name from array doesn't
function). (Dmitry)
- Fixed bug #35456 (+ 1 [time unit] format did not work). (Ilia)

88
ext/mcrypt/mcrypt.c
View File

@ -38,6 +38,11 @@
static int le_mcrypt;
typedef struct _php_mcrypt {
MCRYPT td;
zend_bool init;
} php_mcrypt;
function_entry mcrypt_functions[] = {
PHP_FE(mcrypt_ecb, NULL)
PHP_FE(mcrypt_cbc, NULL)
@ -194,11 +199,11 @@ ZEND_GET_MODULE(mcrypt)
#define MCRYPT_GET_TD_ARG \
zval **mcryptind; \
MCRYPT td; \
php_mcrypt *pm; \
if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &mcryptind) == FAILURE) { \
WRONG_PARAM_COUNT \
} \
ZEND_FETCH_RESOURCE (td, MCRYPT, mcryptind, -1, "MCrypt", le_mcrypt);
ZEND_FETCH_RESOURCE (pm, php_mcrypt *, mcryptind, -1, "MCrypt", le_mcrypt);
#define MCRYPT_GET_MODE_DIR_ARGS(DIRECTORY) \
char *dir = NULL; \
@ -215,6 +220,12 @@ ZEND_GET_MODULE(mcrypt)
#define MCRYPT_ENTRY2_2_4(a,b) REGISTER_STRING_CONSTANT("MCRYPT_" #a, b, CONST_PERSISTENT)
#define MCRYPT_ENTRY2_4(a) MCRYPT_ENTRY_NAMED(a, a)
#define PHP_MCRYPT_INIT_CHECK \
if (!pm->init) { \
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Operation disallowed prior to mcrypt_generic_init()."); \
RETURN_FALSE; \
} \
PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("mcrypt.algorithms_dir", NULL, PHP_INI_ALL, OnUpdateString, algorithms_dir, zend_mcrypt_globals, mcrypt_globals)
STD_PHP_INI_ENTRY("mcrypt.modes_dir", NULL, PHP_INI_ALL, OnUpdateString, modes_dir, zend_mcrypt_globals, mcrypt_globals)
@ -222,9 +233,13 @@ PHP_INI_END()
static void php_mcrypt_module_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
{
MCRYPT td = (MCRYPT) rsrc->ptr;
mcrypt_generic_deinit(td);
mcrypt_module_close (td);
php_mcrypt *pm = (php_mcrypt *) rsrc->ptr;
if (pm) {
mcrypt_generic_deinit(pm->td);
mcrypt_module_close(pm->td);
efree(pm);
pm = NULL;
}
}
@ -357,6 +372,7 @@ PHP_FUNCTION(mcrypt_module_open)
int cipher_len, cipher_dir_len;
int mode_len, mode_dir_len;
MCRYPT td;
php_mcrypt *pm;
if (zend_parse_parameters (ZEND_NUM_ARGS() TSRMLS_CC, "ssss",
&cipher, &cipher_len, &cipher_dir, &cipher_dir_len,
@ -375,7 +391,10 @@ PHP_FUNCTION(mcrypt_module_open)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not open encryption module");
RETURN_FALSE;
} else {
ZEND_REGISTER_RESOURCE(return_value, td, le_mcrypt);
pm = emalloc(sizeof(php_mcrypt));
pm->td = td;
pm->init = 0;
ZEND_REGISTER_RESOURCE(return_value, pm, le_mcrypt);
}
}
/* }}} */
@ -389,7 +408,7 @@ PHP_FUNCTION(mcrypt_generic_init)
zval **mcryptind;
unsigned char *key_s, *iv_s;
int max_key_size, key_size, iv_size;
MCRYPT td;
php_mcrypt *pm;
int argc;
int result = 0;
@ -397,12 +416,12 @@ PHP_FUNCTION(mcrypt_generic_init)
MCRYPT_CHECK_PARAM_COUNT (3,3)
zend_get_parameters_ex(3, &mcryptind, &key, &iv);
ZEND_FETCH_RESOURCE(td, MCRYPT, mcryptind, -1, "MCrypt", le_mcrypt);
ZEND_FETCH_RESOURCE(pm, php_mcrypt *, mcryptind, -1, "MCrypt", le_mcrypt);
convert_to_string_ex(key);
convert_to_string_ex(iv);
max_key_size = mcrypt_enc_get_key_size(td);
iv_size = mcrypt_enc_get_iv_size(td);
max_key_size = mcrypt_enc_get_key_size(pm->td);
iv_size = mcrypt_enc_get_iv_size(pm->td);
if (Z_STRLEN_PP(key) == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Key size is 0");
@ -427,8 +446,8 @@ PHP_FUNCTION(mcrypt_generic_init)
}
memcpy(iv_s, Z_STRVAL_PP(iv), iv_size);
mcrypt_generic_deinit(td);
result = mcrypt_generic_init(td, key_s, key_size, iv_s);
mcrypt_generic_deinit(pm->td);
result = mcrypt_generic_init(pm->td, key_s, key_size, iv_s);
/* If this function fails, close the mcrypt module to prevent crashes
* when further functions want to access this resource */
@ -447,6 +466,7 @@ PHP_FUNCTION(mcrypt_generic_init)
break;
}
}
pm->init = 1;
RETVAL_LONG(result);
efree(iv_s);
@ -460,7 +480,7 @@ PHP_FUNCTION(mcrypt_generic_init)
PHP_FUNCTION(mcrypt_generic)
{
zval **data, **mcryptind;
MCRYPT td;
php_mcrypt *pm;
int argc;
unsigned char* data_s;
int block_size, data_size;
@ -469,12 +489,13 @@ PHP_FUNCTION(mcrypt_generic)
MCRYPT_CHECK_PARAM_COUNT (2,2)
zend_get_parameters_ex(2, &mcryptind, &data);
ZEND_FETCH_RESOURCE(td, MCRYPT, mcryptind, -1, "MCrypt", le_mcrypt);
ZEND_FETCH_RESOURCE(pm, php_mcrypt *, mcryptind, -1, "MCrypt", le_mcrypt);
PHP_MCRYPT_INIT_CHECK
convert_to_string_ex(data);
/* Check blocksize */
if (mcrypt_enc_is_block_mode(td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(td);
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((Z_STRLEN_PP(data) - 1) / block_size) + 1) * block_size;
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
@ -486,7 +507,7 @@ PHP_FUNCTION(mcrypt_generic)
memcpy(data_s, Z_STRVAL_PP(data), Z_STRLEN_PP(data));
}
mcrypt_generic(td, data_s, data_size);
mcrypt_generic(pm->td, data_s, data_size);
data_s[data_size] = '\0';
RETVAL_STRINGL(data_s, data_size, 1);
@ -500,7 +521,7 @@ PHP_FUNCTION(mcrypt_generic)
PHP_FUNCTION(mdecrypt_generic)
{
zval **data, **mcryptind;
MCRYPT td;
php_mcrypt *pm;
int argc;
char* data_s;
int block_size, data_size;
@ -509,12 +530,13 @@ PHP_FUNCTION(mdecrypt_generic)
MCRYPT_CHECK_PARAM_COUNT (2,2)
zend_get_parameters_ex(2, &mcryptind, &data);
ZEND_FETCH_RESOURCE(td, MCRYPT, mcryptind, -1, "MCrypt", le_mcrypt);
ZEND_FETCH_RESOURCE(pm, php_mcrypt * , mcryptind, -1, "MCrypt", le_mcrypt);
PHP_MCRYPT_INIT_CHECK
convert_to_string_ex(data);
/* Check blocksize */
if (mcrypt_enc_is_block_mode(td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(td);
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((Z_STRLEN_PP(data) - 1) / block_size) + 1) * block_size;
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
@ -526,7 +548,7 @@ PHP_FUNCTION(mdecrypt_generic)
memcpy(data_s, Z_STRVAL_PP(data), Z_STRLEN_PP(data));
}
mdecrypt_generic(td, data_s, data_size);
mdecrypt_generic(pm->td, data_s, data_size);
RETVAL_STRINGL(data_s, data_size, 1);
efree(data_s);
@ -544,7 +566,7 @@ PHP_FUNCTION(mcrypt_enc_get_supported_key_sizes)
MCRYPT_GET_TD_ARG
array_init(return_value);
key_sizes = mcrypt_enc_get_supported_key_sizes(td, &count);
key_sizes = mcrypt_enc_get_supported_key_sizes(pm->td, &count);
for (i = 0; i < count; i++) {
add_index_long(return_value, i, key_sizes[i]);
@ -560,7 +582,7 @@ PHP_FUNCTION(mcrypt_enc_get_supported_key_sizes)
PHP_FUNCTION(mcrypt_enc_self_test)
{
MCRYPT_GET_TD_ARG
RETURN_LONG(mcrypt_enc_self_test(td));
RETURN_LONG(mcrypt_enc_self_test(pm->td));
}
/* }}} */
@ -591,7 +613,7 @@ PHP_FUNCTION(mcrypt_generic_deinit)
{
MCRYPT_GET_TD_ARG
if (mcrypt_generic_deinit(td) < 0) {
if (mcrypt_generic_deinit(pm->td) < 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not terminate encryption specifier");
RETURN_FALSE
}
@ -606,7 +628,7 @@ PHP_FUNCTION(mcrypt_enc_is_block_algorithm_mode)
{
MCRYPT_GET_TD_ARG
if (mcrypt_enc_is_block_algorithm_mode(td) == 1) {
if (mcrypt_enc_is_block_algorithm_mode(pm->td) == 1) {
RETURN_TRUE
} else {
RETURN_FALSE
@ -621,7 +643,7 @@ PHP_FUNCTION(mcrypt_enc_is_block_algorithm)
{
MCRYPT_GET_TD_ARG
if (mcrypt_enc_is_block_algorithm(td) == 1) {
if (mcrypt_enc_is_block_algorithm(pm->td) == 1) {
RETURN_TRUE
} else {
RETURN_FALSE
@ -636,7 +658,7 @@ PHP_FUNCTION(mcrypt_enc_is_block_mode)
{
MCRYPT_GET_TD_ARG
if (mcrypt_enc_is_block_mode(td) == 1) {
if (mcrypt_enc_is_block_mode(pm->td) == 1) {
RETURN_TRUE
} else {
RETURN_FALSE
@ -650,7 +672,7 @@ PHP_FUNCTION(mcrypt_enc_is_block_mode)
PHP_FUNCTION(mcrypt_enc_get_block_size)
{
MCRYPT_GET_TD_ARG
RETURN_LONG(mcrypt_enc_get_block_size(td));
RETURN_LONG(mcrypt_enc_get_block_size(pm->td));
}
/* }}} */
@ -660,7 +682,7 @@ PHP_FUNCTION(mcrypt_enc_get_block_size)
PHP_FUNCTION(mcrypt_enc_get_key_size)
{
MCRYPT_GET_TD_ARG
RETURN_LONG(mcrypt_enc_get_key_size(td));
RETURN_LONG(mcrypt_enc_get_key_size(pm->td));
}
/* }}} */
@ -670,7 +692,7 @@ PHP_FUNCTION(mcrypt_enc_get_key_size)
PHP_FUNCTION(mcrypt_enc_get_iv_size)
{
MCRYPT_GET_TD_ARG
RETURN_LONG(mcrypt_enc_get_iv_size(td));
RETURN_LONG(mcrypt_enc_get_iv_size(pm->td));
}
/* }}} */
@ -682,7 +704,7 @@ PHP_FUNCTION(mcrypt_enc_get_algorithms_name)
char *name;
MCRYPT_GET_TD_ARG
name = mcrypt_enc_get_algorithms_name(td);
name = mcrypt_enc_get_algorithms_name(pm->td);
RETVAL_STRING(name, 1);
mcrypt_free(name);
}
@ -696,7 +718,7 @@ PHP_FUNCTION(mcrypt_enc_get_modes_name)
char *name;
MCRYPT_GET_TD_ARG
name = mcrypt_enc_get_modes_name(td);
name = mcrypt_enc_get_modes_name(pm->td);
RETVAL_STRING(name, 1);
mcrypt_free(name);
}

14
ext/mcrypt/tests/bug35496.phpt Normal file
View File

@ -0,0 +1,14 @@
--TEST--
Bug #35496 (Crash in mcrypt_generic()/mdecrypt_generic() without proper init).
--SKIPIF--
<?php if (!extension_loaded("mcrypt")) print "skip"; ?>
--FILE--
<?php
$td = mcrypt_module_open('rijndael-256', '', 'ofb', '');
mcrypt_generic($td, "foobar");
mdecrypt_generic($td, "baz");
?>
--EXPECTF--
Warning: mcrypt_generic(): Operation disallowed prior to mcrypt_generic_init(). in %s/bug35496.php on line 3
Warning: mdecrypt_generic(): Operation disallowed prior to mcrypt_generic_init(). in %s/bug35496.php on line 4