1 files changed, 9 insertions, 0 deletions

diff --git a/src/sp_crypt.c b/src/sp_crypt.c
index 6d48554..3b65616 100644
--- a/src/sp_crypt.c
+++ b/src/sp_crypt.c
@@ -32,6 +32,7 @@ void generate_key(unsigned char *key) {
   }
 
   PHP_SHA256Final((unsigned char *)key, &ctx);
+  ZEND_SECURE_ZERO(&ctx, sizeof(ctx));
 }
 
 // This function return 0 upon success , non-zero otherwise
@@ -42,6 +43,11 @@ int decrypt_zval(zval *pDest, bool simulation, zend_hash_key *hash_key) {
 
   zend_string *debase64 = php_base64_decode((unsigned char *)(Z_STRVAL_P(pDest)), Z_STRLEN_P(pDest));
 
+  if (!debase64) {
+      sp_log_drop( "cookie_encryption", "Unable to base64-decode the cookie");
+      return ZEND_HASH_APPLY_REMOVE;
+  }
+
   if (ZSTR_LEN(debase64) < crypto_secretbox_NONCEBYTES) {
     if (true == simulation) {
       sp_log_simulation(
@@ -115,6 +121,7 @@ int decrypt_zval(zval *pDest, bool simulation, zend_hash_key *hash_key) {
   ret = ZEND_HASH_APPLY_KEEP;
 
 out:
+  ZEND_SECURE_ZERO(key, sizeof(key));
   zend_string_efree(debase64);
   efree(decrypted);
   efree(backup);
@@ -164,6 +171,8 @@ zend_string *encrypt_zval(zend_string *data) {
     z = php_base64_encode(encrypted_data, emsg_and_nonce_len);
   }
 
+  ZEND_SECURE_ZERO(key, sizeof(key));
+  ZEND_SECURE_ZERO(nonce, sizeof(nonce));
   efree(data_to_encrypt);
   efree(encrypted_data);