From 22f44d031dd846cd1ff2f032ea10bc1ff1797f42 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 1 May 2012 21:18:17 +0200
Subject: avoid integer overflow in PassHash::pmd5 method

Input iteration counts are squared in the function and passing something
above 30 is giving integer overflows on 32 bit systems (and causes insane
iteration counts on 64bit systems).
---
 inc/PassHash.class.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'inc/PassHash.class.php')

diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php
index 3fb1349d2..d825057f0 100644
--- a/inc/PassHash.class.php
+++ b/inc/PassHash.class.php
@@ -316,6 +316,11 @@ class PassHash {
      * Uses salted MD5 hashs. Salt is 1+8 bytes long, 1st byte is the
      * iteration count when given, for null salts $compute is used.
      *
+     * The actual iteration count is the given count squared, maximum is
+     * 30 (-> 1073741824). If a higher one is given, the function throws
+     * an exception.
+     *
+     * @link  http://www.openwall.com/phpass/
      * @param string $clear - the clear text to hash
      * @param string $salt  - the salt to use, null for random
      * @param string $magic - the hash identifier (P or H)
@@ -330,6 +335,12 @@ class PassHash {
         }
         $iterc = $salt[0]; // pos 0 of salt is iteration count
         $iter = strpos($itoa64,$iterc);
+
+        if($iter > 30){
+            throw new Exception("Too high iteration count ($iter) in ".
+                                __class__.'::'.__function__);
+        }
+
         $iter = 1 << $iter;
         $salt = substr($salt,1,8);
 
-- 
cgit v1.2.3