Fix some lengths in crypt()

Use salt_len_in instead of strlen(salt) or PHP_MAX_SALT_LEN, otherwise too
much memory will be allocated.

sha512 has a 86 character checksum, not 43. That probably was a copy&paste
from the sha256 code which indeed has 43.

The allocation also was using sizeof(char *), thus allocating 4 or 8 times
as much memory as necessary. The sizeof(char *) was removed in the 5.4
branch in b7a92c9 but forgotten on 5.3.

The memset 0 call was using PHP_MAX_SALT_LEN which can be smaller than the
output buffer and thus not zeroing out everything. Use the size of the
output buffer (needed) instead.

Author: nikic

ext/standard/crypt.c

@@ -199,8 +199,8 @@ PHP_FUNCTION(crypt)
 			char *output;
 			int needed = (sizeof(sha512_salt_prefix) - 1
 						+ sizeof(sha512_rounds_prefix) + 9 + 1
-						+ PHP_MAX_SALT_LEN + 1 + 43 + 1);
-			output = emalloc(needed * sizeof(char *));
+						+ salt_in_len + 1 + 86 + 1);
+			output = emalloc(needed);
 			salt[salt_in_len] = '\0';
 
 			crypt_res = php_sha512_crypt_r(str, salt, output, needed);
@@ -214,16 +214,16 @@ PHP_FUNCTION(crypt)
 				RETVAL_STRING(output, 1);
 			}
 
-			memset(output, 0, PHP_MAX_SALT_LEN + 1);
+			memset(output, 0, needed);
 			efree(output);
 		} else if (salt[0]=='$' && salt[1]=='5' && salt[2]=='$') {
 			const char sha256_salt_prefix[] = "$5$";
 			const char sha256_rounds_prefix[] = "rounds=";
 			char *output;
 			int needed = (sizeof(sha256_salt_prefix) - 1
 						+ sizeof(sha256_rounds_prefix) + 9 + 1
-						+ PHP_MAX_SALT_LEN + 1 + 43 + 1);
-			output = emalloc(needed * sizeof(char *));
+						+ salt_in_len + 1 + 43 + 1);
+			output = emalloc(needed);
 			salt[salt_in_len] = '\0';
 
 			crypt_res = php_sha256_crypt_r(str, salt, output, needed);
@@ -237,7 +237,7 @@ PHP_FUNCTION(crypt)
 				RETVAL_STRING(output, 1);
 			}
 
-			memset(output, 0, PHP_MAX_SALT_LEN + 1);
+			memset(output, 0, needed);
 			efree(output);
 		} else if (
 				salt[0] == '$' &&