Memory corruption (zend_mm_heap corrupted) in `openssl_encrypt` with AES-WRAP-PAD

[olegbaturin]

Description

The following code:

<?php
$algo = "AES-128-WRAP-PAD";
$pass = random_bytes(16);
$iv = str_repeat("\0", 4);
for ($i = 1; $i < 258; $i++) {
    $data = random_bytes($i);
    echo "$i.";
    $enc = openssl_encrypt($data, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv);
}

Commad line:

php -r '$algo = "AES-128-WRAP-PAD"; $pass = random_bytes(16); $iv = str_repeat("\0", 4); for ($i = 1; $i < 258; $i++) { $data = random_bytes($i); echo $i.".";  openssl_encrypt($data, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv); }'

Resulted in this output:

1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.zend_mm_heap corrupted

PHP Version

PHP 8.5.6 (cli) (built: May 19 2026 23:08:03) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.5.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.6, Copyright (c), by Zend Technologies

OpenSSL 3.5.6 7 Apr 2026

---

PHP 8.5.6 (cli) (built: May  6 2026 09:31:05) (ZTS Visual C++ 2022 x64)
Copyright (c) The PHP Group
Built by The PHP Group
Zend Engine v4.5.6, Copyright (c) Zend Technologies
    with Zend OPcache v8.5.6, Copyright (c), by Zend Technologies

OpenSSL 3.5.6 7 Apr 2026

---

PHP 8.4.21 (cli) (built: May 19 2026 23:08:19) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.4.21, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.21, Copyright (c), by Zend Technologies

OpenSSL 3.5.6 7 Apr 2026

---

PHP 8.4.21 (cli) (built: May  6 2026 09:30:47) (ZTS Visual C++ 2022 x64)
Copyright (c) The PHP Group
Built by The PHP Group
Zend Engine v4.4.21, Copyright (c) Zend Technologies
    with Zend OPcache v8.4.21, Copyright (c), by Zend Technologies

OpenSSL 3.0.20 7 Apr 2026

Operating System

No response

[devnexen]

with release build, the heap overrun is visible, the cipher attempts to write past the data length + 8 allocated.

[olegbaturin]

The same issue occurs with AES-WRAP-PAD-INV

[devnexen]

would you have a reproducer for this one too eventually please ?

[olegbaturin]

Set the $algo = "AES-128-WRAP-PAD-INV";

<?php
$algo = "AES-128-WRAP-PAD-INV";
$pass = random_bytes(16);
$iv = str_repeat("\0", 4);
for ($i = 1; $i < 258; $i++) {
    $data = random_bytes($i);
    echo "$i.";
    $enc = openssl_encrypt($data, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv);
}

[olegbaturin]

Another bug with AES-GCM-SIV: output truncated to 8 bytes and authentication tag is null (expected plaintext + 16-byte tag)

$algo = "AES-128-GCM-SIV";
$pass = random_bytes(16);
$iv = str_repeat("\0", 12);
$data = random_bytes(8);
$enc = openssl_encrypt($data, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv, $tag);
var_dump($enc, $tag);

[devnexen]

Ah I see, this cipher is not available for me locally but my fix should still work as being within EVP_CIPH_WRAP_MODE type.

[devnexen]

Another bug with AES-GCM-SIV: output truncated to 8 bytes and authentication tag is null (expected plaintext + 16-byte tag)

$algo = "AES-128-GCM-SIV";
$pass = random_bytes(16);
$iv = str_repeat("\0", 12);
$data = random_bytes(8);
$enc = openssl_encrypt($data, $algo, $pass, OPENSSL_RAW_DATA | OPENSSL_DONT_ZERO_PAD_KEY, $iv, $tag);
var_dump($enc, $tag);

I think it should be a separate report and I m not even sure it s a bug but more a missing feature but again locally I do not have this mode. But definitively a different case :)

[olegbaturin]

I m not even sure it s a bug but more a missing feature

I’m also not sure this is a bug, but it’s very likely. Updating OpenSSL should add support for the wrap-pad and gcm-siv algorithms.