Crypt SHA256/512 Segfaults With Malformed Salt
| Bug #62443 | Crypt SHA256/512 Segfaults With Malformed Salt | ||||
|---|---|---|---|---|---|
| Submitted: | 2012-06-29 00:02 UTC | Modified: | 2012-06-29 02:48 UTC | ||
| From: | ircmaxell@php.net | Assigned: | ircmaxell (profile) | ||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | master-Git-2012-06-28 (Git) | OS: | All | ||
| Private report: | No | CVE-ID: | None | ||
[2012-06-29 00:02 UTC] ircmaxell@php.net
Description:
------------
Crypt() SHA256 and SHA512 segfault when passed a salt that contains a null byte.
This is because the emalloc call and the memset call use different length inputs
for the `output` string. The memset call then overflows the buffer.
Test script:
---------------
<?php
crypt("foo", '$5$'.chr(0).'abc');
?>
and
<?php
crypt("foo", '$6$'.chr(0).'abc');
?>
Expected result:
----------------
No output
Actual result:
--------------
Either segmentation fault (sha512) or zend_mm_heap corrupted (sha256)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2012-06-29 00:12 UTC] ircmaxell@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: ircmaxell
[2012-06-29 02:48 UTC] ircmaxell@php.net