fix crash when session hash function generated long hashes with hash_bits_per_character larger than 4

ext/session/session.c

@@ -284,7 +284,7 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 	unsigned char *digest;
 	int digest_len;
 	int j;
-	char *buf;
+	char *buf, *outid;
 	struct timeval tv;
 	zval **array;
 	zval **token;
@@ -332,6 +332,7 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 			efree(buf);
 			return NULL;
 	}
+	efree(buf);
 
 	if (PS(entropy_length) > 0) {
 		int fd;
@@ -388,19 +389,15 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now");
 	}
 
-	if (PS_ID_INITIAL_SIZE < ((digest_len + 2) * (8 / PS(hash_bits_per_character))) ) {
-		/* 100 bytes is enough for most, but not all hash algos */
-		buf = erealloc(buf, (digest_len + 2) * (8 / PS(hash_bits_per_character)) );
-	}
-
-	j = (int) (bin_to_readable((char *)digest, digest_len, buf, PS(hash_bits_per_character)) - buf);
+	outid = emalloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character)) + 0.5));
+	j = (int) (bin_to_readable((char *)digest, digest_len, outid, PS(hash_bits_per_character)) - outid);
 	efree(digest);
 
 	if (newlen) {
 		*newlen = j;
 	}
 
-	return buf;
+	return outid;
 }
 /* }}} */
 

ext/session/tests/031.phpt

@@ -0,0 +1,22 @@
+--TEST--
+setting hash_function to sha512 and hash_bits_per_character > 4 should not crash
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--INI--
+session.use_cookies=0
+session.cache_limiter=
+session.serialize_handler=php
+session.save_handler=files
+session.hash_function=sha512
+session.hash_bits_per_character=5
+--FILE--
+<?php
+error_reporting(E_ALL);
+
+session_start();
+session_regenerate_id(TRUE);
+
+print "I live\n";
+?>
+--EXPECT--
+I live