From a92acbad873a05470af1a47cb785a18eadd827b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Mon, 23 Jan 2023 22:13:57 +0100
Subject: [PATCH] crypt: Fix possible buffer overread in php_crypt()

---
 ext/standard/crypt.c                                   | 1 +
 ext/standard/tests/password/password_bcrypt_short.phpt | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 ext/standard/tests/password/password_bcrypt_short.phpt

diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 8c105cf910e8..8316c8b96063 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -135,6 +135,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 		} else if (
 				salt[0] == '$' &&
 				salt[1] == '2' &&
+				salt[2] != 0 &&
 				salt[3] == '$') {
 			char output[PHP_MAX_SALT_LEN + 1];
 
diff --git a/ext/standard/tests/password/password_bcrypt_short.phpt b/ext/standard/tests/password/password_bcrypt_short.phpt
new file mode 100644
index 000000000000..085bc8a23904
--- /dev/null
+++ b/ext/standard/tests/password/password_bcrypt_short.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Test that password_hash() does not overread buffers when a short hash is passed
+--FILE--
+<?php
+var_dump(password_verify("foo", '$2'));
+?>
+--EXPECT--
+bool(false)