Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix potential security leak in HashContext
Summary: CVE-2014-6229

This is not a NUL-terminated string, it's a fixed-size block of data.
The risks were key truncation (if there happens to be a NUL byte in the
key) or over-reading (which would be information leakage).

Reviewed By: @ptarjan

Differential Revision: D1533546
  • Loading branch information
oyamauchi authored and hhvm-bot committed Sep 18, 2014
1 parent d2e5c6a commit 7135ec2
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion hphp/runtime/ext/ext_hash.cpp
Expand Up @@ -152,7 +152,12 @@ class HashContext : public SweepableResourceData {
context = malloc(ops->context_size);
ops->hash_copy(context, ctx->context);
options = ctx->options;
key = ctx->key ? strdup(ctx->key) : nullptr;
if (ctx->key) {
key = static_cast<char*>(malloc(ops->block_size));
memcpy(key, ctx->key, ops->block_size);
} else {
key = nullptr;
}
}

~HashContext() {
Expand Down

0 comments on commit 7135ec2

Please sign in to comment.