php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #67249 printf out-of-bounds read
Submitted: 2014-05-12 01:35 UTC Modified: 2014-05-27 19:21 UTC
From: stas@php.net Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.28 OS: *
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
29 + 10 = ?
Subscribe to this entry?

 
 [2014-05-12 01:35 UTC] stas@php.net 
Description:
------------
printf does not check bounds properly when parsing padding specifier (single quote) which may lead to read of string past the end of the buffer. 

Test script:
---------------
printf("%’", "foo")

Expected result:
----------------
""

Actual result:
--------------
==17598== Conditional jump or move depends on uninitialised value(s)
==17598==    at 0x77EA6A: php_formatted_print (formatted_print.c:504)
==17598==    by 0x77F7B5: zif_user_sprintf (formatted_print.c:671)
==17598==    by 0x8FA5E2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==17598==    by 0x8EBE7F: execute_ex (zend_vm_execute.h:363)
==17598==    by 0x86A089: zend_eval_stringl (zend_execute_API.c:1187)
==17598==    by 0x86A168: zend_eval_stringl_ex (zend_execute_API.c:1234)
==17598==    by 0x928472: do_cli (php_cli.c:1034)
==17598==    by 0x928EB7: main (php_cli.c:1378)

Patches

fix-printf (last revision 2014-05-12 01:47 UTC by stas@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-12 01:40 UTC] stas@php.net 
Test script should be printf("%'", "foo") (no unicode chars)
 [2014-05-12 01:47 UTC] stas@php.net 
The following patch has been added/updated:

Patch Name: fix-printf
Revision:   1399859257
URL:        https://bugs.php.net/patch-display.php?bug=67249&patch=fix-printf&revision=1399859257
 [2014-05-27 19:21 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2014-05-27 19:21 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2014-06-01 15:05 UTC] laruence@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-06-04 01:22 UTC] tyrael@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-06-06 07:00 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-06-06 07:07 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-07-29 21:57 UTC] johannes@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-08-14 15:34 UTC] johannes@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-08-14 19:32 UTC] dmitry@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:14 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:15 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:25 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:26 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 15:00:01 2025 UTC