| Bug #38322 | reading past array in sscanf leads to arbitary code execution | ||||
|---|---|---|---|---|---|
| Submitted: | 4 Aug 2006 12:36am UTC | Modified: | 4 Aug 2006 11:59am UTC | ||
| From: | heintz at hotmail dot com | Assigned to: | |||
| Status: | Closed | Category: | Strings related | ||
| Version: | 5.1.4 | OS: | all | ||
[4 Aug 2006 9:28am UTC] tony2001@php.net
Please check out this patch: http://tony2001.phpclub.net/dev/tmp/bug38322.diff
[4 Aug 2006 11:36am UTC] heintz at hotmail dot com
the checkformat function checks the invalid numbers
by subtracting one but the scanning function doesnt
so seems to me the only problem here is that someone has forgotten to
subract 1
code from scanf.c line 737
} else if ( isdigit(UCHAR(*ch))) {
value = strtoul(format-1, &end, 10);
if (*end == '$') {
format = end+1;
ch = format++;
objIndex = varStart + value;
}
}
i think just by putting making a objIndex = varStart + value -1;
it would be secure and keep the functionality. though the if-s wont hurt
if you subract one so they can stay for insurance if performance is not
that big of a issue.
[4 Aug 2006 11:59am UTC] tony2001@php.net
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better.
Description: ------------ ext/standard/scanf.c line ~887 --- if (numVars) { current = args[objIndex++]; --- objIndex points past the end of array in other format cases too Reproduce code: --------------- sscanf('foo ','$1s',$str); http://www.plain-text.info/sscanf_bug.txt - full description Actual result: -------------- will try to dereference a pointer to pointer which usually causes segmentation fault