php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38322 reading past array in sscanf leads to arbitary code execution
Submitted: 2006-08-04 00:36 UTC Modified: 2006-08-04 11:59 UTC
From: heintz at hotmail dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 5.1.4 OS: all
Private report: No CVE-ID: None
 [2006-08-04 00:36 UTC] heintz at hotmail dot com
Description:
------------
ext/standard/scanf.c line ~887
  ---
  if (numVars) {
                    current = args[objIndex++];                
  ---
  
  objIndex points past the end of array in other format cases too





Reproduce code:
---------------
sscanf('foo ','$1s',$str);

http://www.plain-text.info/sscanf_bug.txt - full description

Actual result:
--------------
will try to dereference a pointer to pointer which usually causes segmentation fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-04 09:28 UTC] tony2001@php.net
Please check out this patch: http://tony2001.phpclub.net/dev/tmp/bug38322.diff
 [2006-08-04 11:36 UTC] heintz at hotmail dot com
the checkformat function checks the invalid numbers
by subtracting one but the scanning function doesnt
so seems to me the only problem here is that someone has forgotten to subract 1
code from scanf.c line 737

} else if ( isdigit(UCHAR(*ch))) { 
                value = strtoul(format-1, &end, 10); 
                if (*end == '$') {
                    format = end+1;
                    ch = format++;
                    objIndex = varStart + value;
                }
         }

i think just by putting making a objIndex = varStart + value -1;

it would be secure and keep the functionality. though the if-s wont hurt if you subract one so they can stay for insurance if performance is not that big of a issue.
 [2006-08-04 11:59 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC