Merge branch 'PHP-5.3' into PHP-5.4

* PHP-5.3:
  Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed Salt)

3 files changed, 13 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index b1de5f189e..6821a7ebce 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     includes a semi-colon). (Pierrick)
   . Fixed potential overflow in _php_stream_scandir (CVE-2012-2688). 
     (Jason Powell, Stas)
+  . Fixed bug #62443 (Crypt SHA256/512 Segfaults With Malformed 
+    Salt). (Anthony Ferrara)
 
 - EXIF:
   . Fixed information leak in ext exif (discovered by Martin Noga, 
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 9a1fcf1f69..3ade86a068 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -199,7 +199,7 @@ PHP_FUNCTION(crypt)
 			char *output;
 			int needed = (sizeof(sha512_salt_prefix) - 1
 						+ sizeof(sha512_rounds_prefix) + 9 + 1
-						+ strlen(salt) + 1 + 43 + 1);
+						+ PHP_MAX_SALT_LEN + 1 + 43 + 1);
 			output = emalloc(needed);
 			salt[salt_in_len] = '\0';
 
@@ -222,7 +222,7 @@ PHP_FUNCTION(crypt)
 			char *output;
 			int needed = (sizeof(sha256_salt_prefix) - 1
 						+ sizeof(sha256_rounds_prefix) + 9 + 1
-						+ strlen(salt) + 1 + 43 + 1);
+						+ PHP_MAX_SALT_LEN + 1 + 43 + 1);
 			output = emalloc(needed);
 			salt[salt_in_len] = '\0';
 
diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt
new file mode 100644
index 0000000000..9e0dc38cfb
--- /dev/null
+++ b/ext/standard/tests/strings/bug62443.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
+--FILE--
+<?php
+crypt("foo", '$5$'.chr(0).'abc');
+crypt("foo", '$6$'.chr(0).'abc');
+echo "OK!";
+--EXPECT--
+OK!