ext/hash: Fix GH-16711: Segfault in mhash()

Girgias · Girgias · commit 6b64496d3ff5 · 2024-11-06T14:01:39.000Z
diff --git a/ext/hash/hash.c b/ext/hash/hash.c
@@ -99,6 +99,10 @@ static struct mhash_bc_entry mhash_to_hash[MHASH_NUM_ALGOS] = {
 	{"XXH3", "xxh3", 40},
 	{"XXH128", "xxh128", 41},
 };
+static bool php_is_valid_mhash_algo(zend_long hash_algo) {
+	return hash_algo >= 0 && hash_algo < MHASH_NUM_ALGOS && hash_algo != 4 && hash_algo != 6 && hash_algo != 26;
+}
+
 #endif
 
 /* Hash Registry Access */
@@ -1184,10 +1188,11 @@ static void mhash_init(INIT_FUNC_ARGS)
 	int algo_number = 0;
 
 	for (algo_number = 0; algo_number < MHASH_NUM_ALGOS; algo_number++) {
-		struct mhash_bc_entry algorithm = mhash_to_hash[algo_number];
-		if (algorithm.mhash_name == NULL) {
+		if (!php_is_valid_mhash_algo(algo_number)) {
 			continue;
 		}
+		struct mhash_bc_entry algorithm = mhash_to_hash[algo_number];
+		ZEND_ASSERT(algorithm.mhash_name != NULL);
 
 		len = slprintf(buf, 127, "MHASH_%s", algorithm.mhash_name);
 		zend_register_long_constant(buf, len, algorithm.value, CONST_CS | CONST_PERSISTENT, module_number);
@@ -1209,11 +1214,12 @@ PHP_FUNCTION(mhash)
 	}
 
 	/* need to convert the first parameter from int constant to string algorithm name */
-	if (algorithm >= 0 && algorithm < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.hash_name) {
-			algo = zend_string_init(algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name), 0);
-		}
+		ZEND_ASSERT(algorithm_lookup.hash_name != NULL);
+		algo = zend_string_init(algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name), 0);
+	} else {
+		RETURN_FALSE;
 	}
 
 	if (key) {
@@ -1222,9 +1228,8 @@ PHP_FUNCTION(mhash)
 		php_hash_do_hash(return_value, algo, data, data_len, 1, 0, NULL);
 	}
 
-	if (algo) {
-		zend_string_release(algo);
-	}
+	ZEND_ASSERT(algo != NULL);
+	zend_string_release(algo);
 }
 /* }}} */
 
@@ -1237,11 +1242,10 @@ PHP_FUNCTION(mhash_get_hash_name)
 		RETURN_THROWS();
 	}
 
-	if (algorithm >= 0 && algorithm  < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.mhash_name) {
-			RETURN_STRING(algorithm_lookup.mhash_name);
-		}
+		ZEND_ASSERT(algorithm_lookup.mhash_name != NULL);
+		RETURN_STRING(algorithm_lookup.mhash_name);
 	}
 	RETURN_FALSE;
 }
@@ -1267,14 +1271,12 @@ PHP_FUNCTION(mhash_get_block_size)
 	}
 	RETVAL_FALSE;
 
-	if (algorithm >= 0 && algorithm  < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.mhash_name) {
-			const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
-			if (ops) {
-				RETVAL_LONG(ops->digest_size);
-			}
-		}
+		ZEND_ASSERT(algorithm_lookup.hash_name != NULL);
+		const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
+		ZEND_ASSERT(ops != NULL);
+		RETVAL_LONG(ops->digest_size);
 	}
 }
 /* }}} */
@@ -1309,46 +1311,45 @@ PHP_FUNCTION(mhash_keygen_s2k)
 	salt_len = SALT_SIZE;
 
 	RETVAL_FALSE;
-	if (algorithm >= 0 && algorithm < MHASH_NUM_ALGOS) {
+	if (php_is_valid_mhash_algo(algorithm)) {
 		struct mhash_bc_entry algorithm_lookup = mhash_to_hash[algorithm];
-		if (algorithm_lookup.mhash_name) {
-			const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
-			if (ops) {
-				unsigned char null = '\0';
-				void *context;
-				char *key, *digest;
-				int i = 0, j = 0;
-				size_t block_size = ops->digest_size;
-				size_t times = bytes / block_size;
-
-				if ((bytes % block_size) != 0) {
-					times++;
-				}
+		ZEND_ASSERT(algorithm_lookup.hash_name != NULL);
+		const php_hash_ops *ops = zend_hash_str_find_ptr(&php_hash_hashtable, algorithm_lookup.hash_name, strlen(algorithm_lookup.hash_name));
+		if (ops) {
+			unsigned char null = '\0';
+			void *context;
+			char *key, *digest;
+			int i = 0, j = 0;
+			size_t block_size = ops->digest_size;
+			size_t times = bytes / block_size;
+
+			if ((bytes % block_size) != 0) {
+				times++;
+			}
 
-				context = php_hash_alloc_context(ops);
-				ops->hash_init(context, NULL);
+			context = php_hash_alloc_context(ops);
+			ops->hash_init(context, NULL);
 
-				key = ecalloc(1, times * block_size);
-				digest = emalloc(ops->digest_size + 1);
+			key = ecalloc(1, times * block_size);
+			digest = emalloc(ops->digest_size + 1);
 
-				for (i = 0; i < times; i++) {
-					ops->hash_init(context, NULL);
+			for (i = 0; i < times; i++) {
+				ops->hash_init(context, NULL);
 
-					for (j=0;j<i;j++) {
-						ops->hash_update(context, &null, 1);
-					}
-					ops->hash_update(context, (unsigned char *)padded_salt, salt_len);
-					ops->hash_update(context, (unsigned char *)password, password_len);
-					ops->hash_final((unsigned char *)digest, context);
-					memcpy( &key[i*block_size], digest, block_size);
+				for (j=0;j<i;j++) {
+					ops->hash_update(context, &null, 1);
 				}
-
-				RETVAL_STRINGL(key, bytes);
-				ZEND_SECURE_ZERO(key, bytes);
-				efree(digest);
-				efree(context);
-				efree(key);
+				ops->hash_update(context, (unsigned char *)padded_salt, salt_len);
+				ops->hash_update(context, (unsigned char *)password, password_len);
+				ops->hash_final((unsigned char *)digest, context);
+				memcpy( &key[i*block_size], digest, block_size);
 			}
+
+			RETVAL_STRINGL(key, bytes);
+			ZEND_SECURE_ZERO(key, bytes);
+			efree(digest);
+			efree(context);
+			efree(key);
 		}
 	}
 }
