|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35978 %n format string specifier wrongly implemented
Submitted: 2006-01-12 14:12 UTC Modified: 2006-01-24 22:00 UTC
From: Assigned: helly (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.1.2 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
42 + 37 = ?
Subscribe to this entry?

 [2006-01-12 14:12 UTC]
%n is wrongly implemented in our low level printf functions.

When %n is used, it does not only write the char counter but also agains outputs whatever is in the current string buffer. => crash when %n is used first.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-12 14:22 UTC]
Reproduce case and gdb backtrace are highly welcome.
 [2006-01-12 14:38 UTC]
To reproduce this you need to write a PHP extension, because the problem is in our spprintf/snprintf functions. You could try something like

spprintf("blah%n", &x);

It should crash, because when %n is parsed it will write 4 to x and then try to output what currently is within s and has the length s_len. Because s_len is not initialised it will try to output a "random" number of bytes stored at NULL. When %n is found it has to overjump the whole output process.

You don't need a backtrace: it will crash in

static void xbuf_format_converter(smart_str *xbuf, const char *fmt, va_list ap)

when it tries todo 

                         * Print the string s.
                        INS_STRING(xbuf, s, s_len);

at the end of the function. Because s and s_len are not properly initialised. %n should atleast set s_len to 0 if not overjump the output step completely.
 [2006-01-20 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-01-24 22:00 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Feb 03 17:03:37 2023 UTC