Fixed bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify

Author: weltling

ext/standard/crypt.c

@@ -201,6 +201,14 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt,
 				salt[5] >= '0' && salt[5] <= '9' &&
 				salt[6] == '$') {
 			char output[PHP_MAX_SALT_LEN + 1];
+			int k = 7;
+
+			while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) {
+				k++;
+			}
+			if (k != salt_len) {
+				return FAILURE;
+			}
 
 			memset(output, 0, PHP_MAX_SALT_LEN + 1);
 

ext/standard/tests/strings/bug72703.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #72703 Out of bounds global memory read in BF_crypt triggered by password_verify
+--SKIPIF--
+<?php
+if (!function_exists('crypt'))) {
+	die("SKIP crypt() is not available");
+}
+?> 
+--FILE--
+<?php
+	var_dump(password_verify("","$2y$10$$"));
+?>
+==OK==
+--EXPECT--
+bool(false)
+==OK==
+