PHP :: Bug #61124 :: Segmentation fault

Bug #61124	Segmentation fault
Submitted:	2012-02-17 17:11 UTC	Modified:	2012-02-23 01:28 UTC
From:	mangirdas at impresspages dot org	Assigned:	scottmac (profile)
Status:	Closed	Package:	OpenSSL related
PHP Version:	5.3.10	OS:	CentOS release 5.7 (Final)
Private report:	No	CVE-ID:	None

View Developer Edit

[2012-02-17 17:11 UTC] mangirdas at impresspages dot org

Description:
------------
This function throws a segmentation fault:

openssl_decrypt ('kzo w2RMExUTYQXW2Xzxmg==', 'aes-128-cbc', 'pass', $rawOutput, 
'pass');

Test script:
---------------
<?php
openssl_decrypt ('kzo w2RMExUTYQXW2Xzxmg==', 'aes-128-cbc', 'pass', $rawOutput, 
'pass');

Expected result:
----------------
FALSE, because encrypted string is incorrect.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-02-17 17:35 UTC] [email protected]

Confirmed

It would help to mention that this gives this warning:

Warning: openssl_decrypt(): IV passed is only 4 bytes long, cipher expects an IV 
of precisely 16 bytes, padding with \0

which is probably the cause here. The buffer we pass in is not large enough to 
fit the IV.

A quick hack which fixes the segfault:


--- ext/openssl/openssl.c	(revision 323261)
+++ ext/openssl/openssl.c	(working copy)
@@ -4819,7 +4819,7 @@
 	free_iv = php_openssl_validate_iv(&iv, &iv_len, 
EVP_CIPHER_iv_length(cipher_type) TSRMLS_CC);
 
 	outlen = data_len + EVP_CIPHER_block_size(cipher_type);
-	outbuf = emalloc(outlen + 1);
+	outbuf = emalloc(outlen + 16);
 
 	EVP_DecryptInit(&cipher_ctx, cipher_type, NULL, NULL);
 	if (password_len > keylen) {

but it obviously isn't the right solution.

[2012-02-18 00:53 UTC] me at ktamura dot com

FYI...the said "hacky" patch of adding 16 as opposed to 1 bytes do not solve the 
problem for PHP 5.3.8 built with --enable-debug and --with-openssl --without-iconv 
options on snow leopard.

[2012-02-18 01:02 UTC] me at ktamura dot com

I feel that the real issue is that there is no input check on the first argument of 
openssl_decrypt. Looking at http://linux.die.net/man/3/evp_decryptupdate it is 
unclear what the expected behavior is if you feed invalid input into 
EVP_DecryptUpdate. Perhaps we can do input validation?

[2012-02-18 04:39 UTC] me at ktamura dot com

I think I know why. Basically, when the input data is malformed but $raw_input is set to false, we get a null pointer. Here is a suggested patch (Also available at https://gist.github.com/1857431)

Index: ext/openssl/openssl.c
===================================================================
--- ext/openssl/openssl.c   (revision 323312)
+++ ext/openssl/openssl.c   (working copy)
@@ -4801,6 +4801,11 @@
        base64_str = (char*)php_base64_decode((unsigned char*)data, data_len, &base64_str_len);
        data_len = base64_str_len;
        data = base64_str;
+        
+        if (data == NULL) {
+            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode the base64 input");
+            RETURN_FALSE;
+        }
    }

    keylen = EVP_CIPHER_key_length(cipher_type);

[2012-02-22 11:50 UTC] [email protected]

-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye

[2012-02-22 18:55 UTC] [email protected]

-Assigned To: pajoye +Assigned To: scottmac

[2012-02-22 18:55 UTC] [email protected]

Scott said he'd look into it :-)

[2012-02-23 01:26 UTC] [email protected]

Automatic comment from SVN on behalf of scottmac
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323440
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).

[2012-02-23 01:28 UTC] [email protected]

-Status: Assigned +Status: Closed

[2012-02-23 01:28 UTC] [email protected]

Thanks, Fixed in 5.3, 5.4 and trunk.

[2012-02-25 13:27 UTC] [email protected]

Automatic comment from SVN on behalf of odoucet
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323509
Log: test for bug #61124

[2012-04-18 09:46 UTC] [email protected]

Automatic comment on behalf of scottmac
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c331093b4a87698bd60a4934a688d9bfb64a99f
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).

[2012-07-24 23:37 UTC] [email protected]

Automatic comment on behalf of scottmac
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c331093b4a87698bd60a4934a688d9bfb64a99f
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).

[2013-11-17 09:33 UTC] [email protected]

Automatic comment on behalf of scottmac
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6c331093b4a87698bd60a4934a688d9bfb64a99f
Log: Fixed bug #61124 (Crash when decoding an invalid base64 encoded string).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jun 10 05:01:25 2025 UTC