patch

LamentXU123 · LamentXU123 · commit c5e9672c4dc3 · 2026-04-13T19:37:18.000+08:00
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
@@ -67,7 +67,7 @@ PHP_MSHUTDOWN_FUNCTION(crypt) /* {{{ */
 }
 /* }}} */
 
-PHPAPI zend_string *php_crypt(const char *password, size_t pass_len, const char *salt, size_t salt_len, bool quiet)
+PHPAPI zend_string *php_crypt(const char *password, size_t pass_len, const char *salt, int salt_len, bool quiet)
 {
 	char *crypt_res;
 	zend_string *result;
@@ -206,8 +206,8 @@ PHP_FUNCTION(crypt)
 	zend_string *result;
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
-		Z_PARAM_STRING(str, str_len)
-		Z_PARAM_STRING(salt_in, salt_in_len)
+		Z_PARAM_PATH(str, str_len)
+		Z_PARAM_PATH(salt_in, salt_in_len)
 	ZEND_PARSE_PARAMETERS_END();
 
 	salt[0] = salt[PHP_MAX_SALT_LEN] = '\0';
diff --git a/ext/standard/tests/password/password_bcrypt_null_verify.phpt b/ext/standard/tests/password/password_bcrypt_null_verify.phpt
@@ -2,8 +2,9 @@
 password_* handles bcrypt passwords containing null bytes
 --SKIPIF--
 <?php
-$setting = '$2y$05$CCCCCCCCCCCCCCCCCCCCC.';
-if (crypt("foo\0bar", $setting) === crypt("foo", $setting)) {
+$password = "foo\0bar";
+$hash = password_hash($password, PASSWORD_BCRYPT);
+if (!is_string($hash) || !password_verify($password, $hash) || password_verify("foo", $hash)) {
     die("skip bcrypt backend truncates NUL bytes");
 }
 ?>
diff --git a/ext/standard/tests/strings/bug62443.phpt b/ext/standard/tests/strings/bug62443.phpt
@@ -2,9 +2,18 @@
 Bug #62443 Crypt SHA256/512 Segfaults With Malformed Salt
 --FILE--
 <?php
-crypt("foo", '$5$'.chr(0).'abc');
-crypt("foo", '$6$'.chr(0).'abc');
-echo "OK!";
+try {
+    crypt("foo", '$5$'.chr(0).'abc');
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    crypt("foo", '$6$'.chr(0).'abc');
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
-OK!
+crypt(): Argument #2 ($salt) must not contain any null bytes
+crypt(): Argument #2 ($salt) must not contain any null bytes
diff --git a/ext/standard/tests/strings/crypt_blowfish_null.phpt b/ext/standard/tests/strings/crypt_blowfish_null.phpt
diff --git a/ext/standard/tests/strings/crypt_nul_bytes.phpt b/ext/standard/tests/strings/crypt_nul_bytes.phpt
@@ -0,0 +1,19 @@
+--TEST--
+crypt() rejects passwords and salts containing null bytes
+--FILE--
+<?php
+try {
+    crypt("foo\0bar", '$2y$05$CCCCCCCCCCCCCCCCCCCCC.');
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+
+try {
+    crypt("foo", '$2y$05$CCCCCCCCCCC' . "\0" . 'CCCCCCC.');
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
+?>
+--EXPECT--
+crypt(): Argument #1 ($string) must not contain any null bytes
+crypt(): Argument #2 ($salt) must not contain any null bytes
