|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38322 reading past array in sscanf leads to arbitary code execution
Submitted: 2006-08-04 00:36 UTC Modified: 2006-08-04 11:59 UTC
From: heintz at hotmail dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 5.1.4 OS: all
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: heintz at hotmail dot com
New email:
PHP Version: OS:


 [2006-08-04 00:36 UTC] heintz at hotmail dot com
ext/standard/scanf.c line ~887
  if (numVars) {
                    current = args[objIndex++];                
  objIndex points past the end of array in other format cases too

Reproduce code:
sscanf('foo ','$1s',$str); - full description

Actual result:
will try to dereference a pointer to pointer which usually causes segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-04 09:28 UTC]
Please check out this patch:
 [2006-08-04 11:36 UTC] heintz at hotmail dot com
the checkformat function checks the invalid numbers
by subtracting one but the scanning function doesnt
so seems to me the only problem here is that someone has forgotten to subract 1
code from scanf.c line 737

} else if ( isdigit(UCHAR(*ch))) { 
                value = strtoul(format-1, &end, 10); 
                if (*end == '$') {
                    format = end+1;
                    ch = format++;
                    objIndex = varStart + value;

i think just by putting making a objIndex = varStart + value -1;

it would be secure and keep the functionality. though the if-s wont hurt if you subract one so they can stay for insurance if performance is not that big of a issue.
 [2006-08-04 11:59 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Mar 03 22:01:27 2024 UTC