|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38322 reading past array in sscanf leads to arbitary code execution
Submitted: 2006-08-04 00:36 UTC Modified: 2006-08-04 11:59 UTC
From: heintz at hotmail dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 5.1.4 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: heintz at hotmail dot com
New email:
PHP Version: OS:


 [2006-08-04 00:36 UTC] heintz at hotmail dot com
ext/standard/scanf.c line ~887
  if (numVars) {
                    current = args[objIndex++];                
  objIndex points past the end of array in other format cases too

Reproduce code:
sscanf('foo ','$1s',$str); - full description

Actual result:
will try to dereference a pointer to pointer which usually causes segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-04 09:28 UTC]
Please check out this patch:
 [2006-08-04 11:36 UTC] heintz at hotmail dot com
the checkformat function checks the invalid numbers
by subtracting one but the scanning function doesnt
so seems to me the only problem here is that someone has forgotten to subract 1
code from scanf.c line 737

} else if ( isdigit(UCHAR(*ch))) { 
                value = strtoul(format-1, &end, 10); 
                if (*end == '$') {
                    format = end+1;
                    ch = format++;
                    objIndex = varStart + value;

i think just by putting making a objIndex = varStart + value -1;

it would be secure and keep the functionality. though the if-s wont hurt if you subract one so they can stay for insurance if performance is not that big of a issue.
 [2006-08-04 11:59 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Feb 27 01:01:28 2024 UTC