From b5628fcc599919711171a5154f37ad90bd6b5065 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 29 Sep 2017 17:17:54 +0200
Subject: Fix two cookie encryption issues found by @cfreal, and a bonus one
 (#18)

* Fix a cookie encryption issue found by @cfreal

- Use the base64-decoded payload length to allocate memory to decrypt
  it, instead of allocating the length of the undecoded one. This has
  no security impact, since the base64-encoded string is at least as large
  as the decoded one. Since we're using AEAD, there is no way to leak
  memory, since this would make the decryption fail.---
 src/sp_cookie_encryption.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/sp_cookie_encryption.c')

diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c
index ad8438a..a47f6e1 100644
--- a/src/sp_cookie_encryption.c
+++ b/src/sp_cookie_encryption.c
@@ -61,14 +61,14 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args,
 
   debase64 = php_base64_decode((unsigned char *)(Z_STRVAL_P(pDest)), value_len);
 
-  if (value_len <
+  if (ZSTR_LEN(debase64) <
       crypto_secretbox_NONCEBYTES + crypto_secretbox_ZEROBYTES) {
     sp_log_msg("cookie_encryption", SP_LOG_DROP,
         "Buffer underflow tentative detected in cookie encryption handling.");
     return ZEND_HASH_APPLY_REMOVE;
   }
 
-  decrypted = pecalloc(value_len, 1, 0);
+  decrypted = pecalloc(ZSTR_LEN(debase64), 1, 0);
 
   ret = crypto_secretbox_open(
       decrypted,
-- 
cgit v1.3