@@ -7396,6 +7396,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
73967396 const char * aad , size_t aad_len , int enc ) /* {{{ */
73977397{
73987398 int i = 0 ;
7399+ size_t outlen = data_len + EVP_CIPHER_block_size (cipher_type );
73997400
74007401 if (mode -> is_single_run_aead && !EVP_CipherUpdate (cipher_ctx , NULL , & i , NULL , (int )data_len )) {
74017402 php_openssl_store_errors ();
@@ -7409,7 +7410,19 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
74097410 return FAILURE ;
74107411 }
74117412
7412- * poutbuf = zend_string_alloc ((int )data_len + EVP_CIPHER_block_size (cipher_type ), 0 );
7413+ #ifdef EVP_CIPH_WRAP_MODE
7414+ if ((EVP_CIPHER_mode (cipher_type )) == EVP_CIPH_WRAP_MODE ) {
7415+ /*
7416+ * RFC 5649 wrap-with-padding rounds the input up to the block size
7417+ * and prepends an integrity block, we reserve one extra block.
7418+ * See EVP_EncryptUpdate(3): wrap mode may write up to
7419+ * inl + cipher_block_size bytes.
7420+ */
7421+ outlen += EVP_CIPHER_block_size (cipher_type );
7422+ }
7423+ #endif
7424+
7425+ * poutbuf = zend_string_alloc (outlen , false);
74137426
74147427 if (!EVP_CipherUpdate (cipher_ctx , (unsigned char * )ZSTR_VAL (* poutbuf ),
74157428 & i , (const unsigned char * )data , (int )data_len )) {
@@ -7421,7 +7434,7 @@ static int php_openssl_cipher_update(const EVP_CIPHER *cipher_type,
74217434 }
74227435 */
74237436 php_openssl_store_errors ();
7424- zend_string_release_ex (* poutbuf , 0 );
7437+ zend_string_release_ex (* poutbuf , false );
74257438 return FAILURE ;
74267439 }
74277440
0 commit comments