crypt: Fix possible buffer overread in php_crypt()

Author: TimWolla

ext/standard/crypt.c

@@ -135,6 +135,7 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
 		} else if (
 				salt[0] == '$' &&
 				salt[1] == '2' &&
+				salt[2] != 0 &&
 				salt[3] == '$') {
 			char output[PHP_MAX_SALT_LEN + 1];
 

ext/standard/tests/password/password_bcrypt_short.phpt

@@ -0,0 +1,8 @@
+--TEST--
+Test that password_hash() does not overread buffers when a short hash is passed
+--FILE--
+<?php
+var_dump(password_verify("foo", '$2'));
+?>
+--EXPECT--
+bool(false)