diff options
Diffstat (limited to 'ext/standard')
| -rw-r--r-- | ext/standard/base64.c | 4 | ||||
| -rw-r--r-- | ext/standard/crypt.c | 4 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug62373.phpt | 25 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug62443.phpt | 9 | ||||
| -rw-r--r-- | ext/standard/var.c | 7 |
5 files changed, 40 insertions, 9 deletions
diff --git a/ext/standard/base64.c b/ext/standard/base64.c index 9e9c36250c..d78cb244c5 100644 --- a/ext/standard/base64.c +++ b/ext/standard/base64.c @@ -59,14 +59,14 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in unsigned char *p; unsigned char *result; - if ((length + 2) < 0 || ((length + 2) / 3) >= (1 << (sizeof(int) * 8 - 2))) { + if (length < 0) { if (ret_length != NULL) { *ret_length = 0; } return NULL; } - result = (unsigned char *)safe_emalloc(((length + 2) / 3) * 4, sizeof(char), 1); + result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1); p = result; while (length > 2) { /* keep going until we have less than 24 bits */ diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index a592a4b37c..25f5ec0107 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -171,7 +171,7 @@ PHPAPI int crypt_execute(const char *password, const int pass_len, const char *s char *output; int needed = (sizeof(sha512_salt_prefix) - 1 + sizeof(sha512_rounds_prefix) + 9 + 1 - + PHP_MAX_SALT_LEN + 43 + 1); + + salt_in_len + 1 + 86 + 1); output = emalloc(needed); crypt_res = php_sha512_crypt_r(password, salt, output, needed); @@ -189,7 +189,7 @@ PHPAPI int crypt_execute(const char *password, const int pass_len, const char *s char *output; int needed = (sizeof(sha256_salt_prefix) - 1 + sizeof(sha256_rounds_prefix) + 9 + 1 - + PHP_MAX_SALT_LEN + 43 + 1); + + salt_in_len + 1 + 43 + 1); output = emalloc(needed); crypt_res = php_sha256_crypt_r(password, salt, output, needed); diff --git a/ext/standard/tests/serialize/bug62373.phpt b/ext/standard/tests/serialize/bug62373.phpt new file mode 100644 index 0000000000..666c33ebdb --- /dev/null +++ b/ext/standard/tests/serialize/bug62373.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #62373 (serialize() generates wrong reference to the object) +--FILE-- +<?php +class A {} +class B {} + +$size_of_ce = (((int)(log(PHP_INT_MAX) / log(2)) + 1 == 32 ? 368: 680) + 15) & ~15; +$dummy = array(); +$b = new B(); +$period = $size_of_ce << 5; +for ($i = 0; $i < $period * 3; $i++) { + $a = new A(); + $s = unserialize(serialize(array($b, $a))); + if ($s[0] === $s[1]) { + echo "OOPS\n"; + break; + } + $dummy[] = $a; +} + +echo "OK\n"; +?> +--EXPECT-- +OK diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt new file mode 100644 index 0000000000..9e0dc38cfb --- /dev/null +++ b/ext/standard/tests/strings/bug62443.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt +--FILE-- +<?php +crypt("foo", '$5$'.chr(0).'abc'); +crypt("foo", '$6$'.chr(0).'abc'); +echo "OK!"; +--EXPECT-- +OK! diff --git a/ext/standard/var.c b/ext/standard/var.c index c6126e95fa..735d0a7cbb 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -541,12 +541,9 @@ static inline int php_add_var_hash(HashTable *var_hash, zval *var, void *var_old /* relies on "(long)" being a perfect hash function for data pointers, * however the actual identity of an object has had to be determined - * by its object handle and the class entry since 5.0. */ + * by its object handle since 5.0. */ if ((Z_TYPE_P(var) == IS_OBJECT) && Z_OBJ_HT_P(var)->get_class_entry) { - p = smart_str_print_long(id + sizeof(id) - 1, - (((size_t)Z_OBJCE_P(var) << 5) - | ((size_t)Z_OBJCE_P(var) >> (sizeof(long) * 8 - 5))) - + (long) Z_OBJ_HANDLE_P(var)); + p = smart_str_print_long(id + sizeof(id) - 1, (long) Z_OBJ_HANDLE_P(var)); *(--p) = 'O'; len = id + sizeof(id) - 1 - p; } else { |