diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-05-27 12:10:03 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-05-27 12:10:41 -0700 |
| commit | a2f8c9c1ae7c3cee168a55c75cf5014ac00a50e5 (patch) | |
| tree | 86ea2718bc838c7bbd36c57752cbf5e481417559 | |
| parent | 3b8bdb7164917573fa08dcd7f99797c6646d7849 (diff) | |
| parent | 76b06780d5bd3b654bda98d2403994cf08b5143d (diff) | |
| download | php-git-a2f8c9c1ae7c3cee168a55c75cf5014ac00a50e5.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
update NEWS
Fix bug #67249: printf out-of-bounds read
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/formatted_print.c | 6 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug67249.phpt | 8 |
3 files changed, 13 insertions, 2 deletions
@@ -27,6 +27,7 @@ PHP NEWS . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in zend_exceptions.c). (Bob) . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas) + . Fixed bug #67249 (printf out-of-bounds read). (Stas) . Fixed bug #67250 (iptcparse out-of-bounds read). (Stas) . Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas) diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c index 3cd5839313..2592b1655d 100644 --- a/ext/standard/formatted_print.c +++ b/ext/standard/formatted_print.c @@ -376,6 +376,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC int alignment, currarg, adjusting, argnum, width, precision; char *format, *result, padding; int always_sign; + int format_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", &args, &argc) == FAILURE) { return NULL; @@ -414,11 +415,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC convert_to_string_ex(args[format_offset]); format = Z_STRVAL_PP(args[format_offset]); + format_len = Z_STRLEN_PP(args[format_offset]); result = emalloc(size); currarg = 1; - while (inpos<Z_STRLEN_PP(args[format_offset])) { + while (inpos<format_len) { int expprec = 0, multiuse = 0; zval *tmp; @@ -473,7 +475,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC /* space padding, the default */ } else if (format[inpos] == '+') { always_sign = 1; - } else if (format[inpos] == '\'') { + } else if (format[inpos] == '\'' && inpos+1<format_len) { padding = format[++inpos]; } else { PRINTF_DEBUG(("sprintf: end of modifiers\n")); diff --git a/ext/standard/tests/strings/bug67249.phpt b/ext/standard/tests/strings/bug67249.phpt new file mode 100644 index 0000000000..6ea75289e6 --- /dev/null +++ b/ext/standard/tests/strings/bug67249.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #67249 (printf out-of-bounds read) +--FILE-- +<?php +var_dump(sprintf("%'", "foo")); +?> +--EXPECT-- +string(0) "" |