diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-05-27 12:11:07 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-05-27 12:11:59 -0700 |
| commit | 13a3826687d270f6154c489244feffcecf33f838 (patch) | |
| tree | 6ca20e46a8bcf0b98ee705a91606d6b4b434209e | |
| parent | eb2bd850041a84ac40d3b025419fb9a1b88b2280 (diff) | |
| parent | a2f8c9c1ae7c3cee168a55c75cf5014ac00a50e5 (diff) | |
| download | php-git-13a3826687d270f6154c489244feffcecf33f838.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
update NEWS
Fix bug #67249: printf out-of-bounds read
5.5.13 release date
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/standard/formatted_print.c | 6 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug67249.phpt | 8 |
3 files changed, 15 insertions, 2 deletions
@@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2014, PHP 5.6.0 Beta 4 +- Core: + . Fixed bug #67249 (printf out-of-bounds read). (Stas) + - Date: . Fixed bug #67308 (Serialize of DateTime truncates fractions of second). (Adam) diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c index 3cd5839313..2592b1655d 100644 --- a/ext/standard/formatted_print.c +++ b/ext/standard/formatted_print.c @@ -376,6 +376,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC int alignment, currarg, adjusting, argnum, width, precision; char *format, *result, padding; int always_sign; + int format_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", &args, &argc) == FAILURE) { return NULL; @@ -414,11 +415,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC convert_to_string_ex(args[format_offset]); format = Z_STRVAL_PP(args[format_offset]); + format_len = Z_STRLEN_PP(args[format_offset]); result = emalloc(size); currarg = 1; - while (inpos<Z_STRLEN_PP(args[format_offset])) { + while (inpos<format_len) { int expprec = 0, multiuse = 0; zval *tmp; @@ -473,7 +475,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC /* space padding, the default */ } else if (format[inpos] == '+') { always_sign = 1; - } else if (format[inpos] == '\'') { + } else if (format[inpos] == '\'' && inpos+1<format_len) { padding = format[++inpos]; } else { PRINTF_DEBUG(("sprintf: end of modifiers\n")); diff --git a/ext/standard/tests/strings/bug67249.phpt b/ext/standard/tests/strings/bug67249.phpt new file mode 100644 index 0000000000..6ea75289e6 --- /dev/null +++ b/ext/standard/tests/strings/bug67249.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #67249 (printf out-of-bounds read) +--FILE-- +<?php +var_dump(sprintf("%'", "foo")); +?> +--EXPECT-- +string(0) "" |