php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75067 Passing of unterminated C string as argument to %s in format string
Submitted: 2017-08-12 17:33 UTC Modified: 2021-01-15 14:07 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: enclaved at safe-mail dot net Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.1.8 OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: enclaved at safe-mail dot net
New email:
PHP Version: OS:

 

 [2017-08-12 17:33 UTC] enclaved at safe-mail dot net
Description:
------------
Zend/zend_API.h, around line 580:

#define CHECK_ZVAL_STRING(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s)", ZSTR_VAL(str)); }
#define CHECK_ZVAL_STRING_REL(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", ZSTR_VAL(str) ZEND_FILE_LINE_RELAY_CC); }

Both of these macros pass unterminated C strings (as far as zend_string is concerned) to zend_error() as arguments to the %s format string conversion specifier. Regardless of whether the strings are implicitly terminated by whatever allocation method they use, this is generally a very bad practice from the common C format string usage semantics. If a truly unterminated C string wrapped in zend_string is passed to one of these macros, it will almost certainly result in delivery of SIGBUS (or SIGSEGV on some platforms).

Please make a terminated copy of the string in question with estrndup() or similar means, giving ZSTR_LEN() as an explicit length.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-15 14:07 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-01-15 14:07 UTC] cmb@php.net
This has been fixed[1] in the meantime (available as of PHP
8.0.0).  Regarding prior PHP versions, this is not really an
issue, since it would affect debug builds only, and it is not
supposed to happen anyway.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=ef9ab9159b409c6d3ea184b4ba88764d85c4133b>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 06:01:29 2024 UTC