|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2006-08-04 00:36 UTC] heintz at hotmail dot com
Description:
------------
ext/standard/scanf.c line ~887
---
if (numVars) {
current = args[objIndex++];
---
objIndex points past the end of array in other format cases too
Reproduce code:
---------------
sscanf('foo ','$1s',$str);
http://www.plain-text.info/sscanf_bug.txt - full description
Actual result:
--------------
will try to dereference a pointer to pointer which usually causes segmentation fault
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Mar 04 06:01:27 2025 UTC |
the checkformat function checks the invalid numbers by subtracting one but the scanning function doesnt so seems to me the only problem here is that someone has forgotten to subract 1 code from scanf.c line 737 } else if ( isdigit(UCHAR(*ch))) { value = strtoul(format-1, &end, 10); if (*end == '$') { format = end+1; ch = format++; objIndex = varStart + value; } } i think just by putting making a objIndex = varStart + value -1; it would be secure and keep the functionality. though the if-s wont hurt if you subract one so they can stay for insurance if performance is not that big of a issue.