ext/hash: Fix GH-16711: Segfault in mhash()

Author: Girgias

ext/hash/hash.c

@@ -99,6 +99,10 @@ static struct mhash_bc_entry mhash_to_hash[MHASH_NUM_ALGOS] = {
 	{"XXH3", "xxh3", 40},
 	{"XXH128", "xxh128", 41},
 };
+static bool php_is_valid_mhash_algo(zend_long hash_algo) {
+	return hash_algo >= 0 && hash_algo < MHASH_NUM_ALGOS && hash_algo != 4 && hash_algo != 6 && hash_algo != 26;
+}
+
 #endif
 
 /* Hash Registry Access */
@@ -1184,10 +1188,11 @@ static void mhash_init(INIT_FUNC_ARGS)
 	int algo_number = 0;
 
 	for (algo_number = 0; algo_number < MHASH_NUM_ALGOS; algo_number++) {
-		struct mhash_bc_entry algorithm = mhash_to_hash[algo_number];
-		if (algorithm.mhash_name == NULL) {
+		if (!php_is_valid_mhash_algo(algo_number)) {
 			continue;
 		}
+		struct mhash_bc_entry algorithm = mhash_to_hash[algo_number];
+		ZEND_ASSERT(algorithm.mhash_name != NULL);
 
 		len = slprintf(buf, 127, "MHASH_%s", algorithm.mhash_name);
 		zend_register_long_constant(buf, len, algorithm.value, CONST_CS | CONST_PERSISTENT, module_number);
@@ -1209,11 +1214,12 @@ PHP_FUNCTION(mhash)
 	}
 
 	/* need to convert the first parameter from int constant to string algorithm name */
-	if (algorithm >= 0 && algorithm < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.hash_name) {
-			algo = zend_string_init(algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name), 0);
-		}
+		ZEND_ASSERT(algorithm_lookup.hash_name != NULL);
+		algo = zend_string_init(algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name), 0);
+	} else {
+		RETURN_FALSE;
 	}
 
 	if (key) {
@@ -1222,9 +1228,8 @@ PHP_FUNCTION(mhash)
 		php_hash_do_hash(return_value, algo, data, data_len, 1, 0, NULL);
 	}
 
-	if (algo) {
-		zend_string_release(algo);
-	}
+	ZEND_ASSERT(algo != NULL);
+	zend_string_release(algo);
 }
 /* }}} */
 
@@ -1237,11 +1242,10 @@ PHP_FUNCTION(mhash_get_hash_name)
 		RETURN_THROWS();
 	}
 
-	if (algorithm >= 0 && algorithm  < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.mhash_name) {
-			RETURN_STRING(algorithm_lookup.mhash_name);
-		}
+		ZEND_ASSERT(algorithm_lookup.mhash_name != NULL);
+		RETURN_STRING(algorithm_lookup.mhash_name);
 	}
 	RETURN_FALSE;
 }
@@ -1267,14 +1271,12 @@ PHP_FUNCTION(mhash_get_block_size)
 	}
 	RETVAL_FALSE;
 
-	if (algorithm >= 0 && algorithm  < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.mhash_name) {
-			const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
-			if (ops) {
-				RETVAL_LONG(ops->digest_size);
-			}
-		}
+		ZEND_ASSERT(algorithm_lookup.hash_name != NULL);
+		const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
+		ZEND_ASSERT(ops != NULL);
+		RETVAL_LONG(ops->digest_size);
 	}
 }
 /* }}} */
@@ -1309,47 +1311,46 @@ PHP_FUNCTION(mhash_keygen_s2k)
 	salt_len = SALT_SIZE;
 
 	RETVAL_FALSE;
-	if (algorithm >= 0 && algorithm < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.mhash_name) {
-			const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
-			if (ops) {
-				unsigned char null = '\0';
-				void *context;
-				char *key, *digest;
-				int i = 0, j = 0;
-				size_t block_size = ops->digest_size;
-				size_t times = bytes / block_size;
-
-				if ((bytes % block_size) != 0) {
-					times++;
-				}
-
-				context = php_hash_alloc_context(ops);
-				ops->hash_init(context, NULL);
+		ZEND_ASSERT(algorithm_lookup.hash_name != NULL);
+		const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
+		ZEND_ASSERT(ops != NULL);
+
+		unsigned char null = '\0';
+		void *context;
+		char *key, *digest;
+		int i = 0, j = 0;
+		size_t block_size = ops->digest_size;
+		size_t times = bytes / block_size;
+
+		if ((bytes % block_size) != 0) {
+			times++;
+		}
 
-				key = ecalloc(1, times * block_size);
-				digest = emalloc(ops->digest_size + 1);
+		context = php_hash_alloc_context(ops);
+		ops->hash_init(context, NULL);
 
-				for (i = 0; i < times; i++) {
-					ops->hash_init(context, NULL);
+		key = ecalloc(1, times * block_size);
+		digest = emalloc(ops->digest_size + 1);
 
-					for (j=0;j<i;j++) {
-						ops->hash_update(context, &null, 1);
-					}
-					ops->hash_update(context, (unsigned char *)padded_salt, salt_len);
-					ops->hash_update(context, (unsigned char *)password, password_len);
-					ops->hash_final((unsigned char *)digest, context);
-					memcpy( &key[i*block_size], digest, block_size);
-				}
+		for (i = 0; i < times; i++) {
+			ops->hash_init(context, NULL);
 
-				RETVAL_STRINGL(key, bytes);
-				ZEND_SECURE_ZERO(key, bytes);
-				efree(digest);
-				efree(context);
-				efree(key);
+			for (j=0;j<i;j++) {
+				ops->hash_update(context, &null, 1);
 			}
+			ops->hash_update(context, (unsigned char *)padded_salt, salt_len);
+			ops->hash_update(context, (unsigned char *)password, password_len);
+			ops->hash_final((unsigned char *)digest, context);
+			memcpy( &key[i*block_size], digest, block_size);
 		}
+
+		RETVAL_STRINGL(key, bytes);
+		ZEND_SECURE_ZERO(key, bytes);
+		efree(digest);
+		efree(context);
+		efree(key);
 	}
 }
 /* }}} */

ext/hash/tests/gh16711.phpt

@@ -0,0 +1,98 @@
+--TEST--
+GH-16711: Segmentation fault in mhash()
+--SKIPIF--
+<?php if(!function_exists('mhash')) { die('skip mhash compatibility layer not available'); } ?>
+--FILE--
+<?php
+
+$re = new ReflectionExtension("hash");
+var_dump($re->getConstants());
+
+var_dump(mhash(133, 1086849124, 133));
+?>
+--EXPECTF--
+array(40) {
+  ["HASH_HMAC"]=>
+  int(1)
+  ["MHASH_CRC32"]=>
+  int(0)
+  ["MHASH_MD5"]=>
+  int(1)
+  ["MHASH_SHA1"]=>
+  int(2)
+  ["MHASH_HAVAL256"]=>
+  int(3)
+  ["MHASH_RIPEMD160"]=>
+  int(5)
+  ["MHASH_TIGER"]=>
+  int(7)
+  ["MHASH_GOST"]=>
+  int(8)
+  ["MHASH_CRC32B"]=>
+  int(9)
+  ["MHASH_HAVAL224"]=>
+  int(10)
+  ["MHASH_HAVAL192"]=>
+  int(11)
+  ["MHASH_HAVAL160"]=>
+  int(12)
+  ["MHASH_HAVAL128"]=>
+  int(13)
+  ["MHASH_TIGER128"]=>
+  int(14)
+  ["MHASH_TIGER160"]=>
+  int(15)
+  ["MHASH_MD4"]=>
+  int(16)
+  ["MHASH_SHA256"]=>
+  int(17)
+  ["MHASH_ADLER32"]=>
+  int(18)
+  ["MHASH_SHA224"]=>
+  int(19)
+  ["MHASH_SHA512"]=>
+  int(20)
+  ["MHASH_SHA384"]=>
+  int(21)
+  ["MHASH_WHIRLPOOL"]=>
+  int(22)
+  ["MHASH_RIPEMD128"]=>
+  int(23)
+  ["MHASH_RIPEMD256"]=>
+  int(24)
+  ["MHASH_RIPEMD320"]=>
+  int(25)
+  ["MHASH_SNEFRU256"]=>
+  int(27)
+  ["MHASH_MD2"]=>
+  int(28)
+  ["MHASH_FNV132"]=>
+  int(29)
+  ["MHASH_FNV1A32"]=>
+  int(30)
+  ["MHASH_FNV164"]=>
+  int(31)
+  ["MHASH_FNV1A64"]=>
+  int(32)
+  ["MHASH_JOAAT"]=>
+  int(33)
+  ["MHASH_CRC32C"]=>
+  int(34)
+  ["MHASH_MURMUR3A"]=>
+  int(35)
+  ["MHASH_MURMUR3C"]=>
+  int(36)
+  ["MHASH_MURMUR3F"]=>
+  int(37)
+  ["MHASH_XXH32"]=>
+  int(38)
+  ["MHASH_XXH64"]=>
+  int(39)
+  ["MHASH_XXH3"]=>
+  int(40)
+  ["MHASH_XXH128"]=>
+  int(41)
+}
+
+Deprecated: Function mhash() is deprecated since 8.1 in %s on line %d
+bool(false)