php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #61531 Integer Overflow in all printf functions
Submitted: 2012-03-27 21:07 UTC Modified: 2012-11-12 02:15 UTC
From: iblue at gmx dot net Assigned: aharvey (profile)
Status: Closed Package: Documentation problem
PHP Version: 5.4.0 OS: GNU/Linux
Private report: No CVE-ID: None
View Developer Edit
 [2012-03-27 21:07 UTC] iblue at gmx dot net 
Description:
------------
There is an integer overflow in *printf.

Test script:
---------------
<?php
echo sprintf('%2147483646$s', "foo");
echo sprintf('%2147483647$s', "foo");


Expected result:
----------------
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 3


Actual result:
--------------
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning:  sprintf(): Argument number must be greater than zero in 
/home/iblue/test.php on line 3

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-28 08:21 UTC] yohgaki@php.net 
This happens because argnum is int and php_sprintf_getnumber() just returns -1 
when there is overflow.

ext/standard/formatted_print.c
---------
if (format[temppos] == '$') {
	argnum = php_sprintf_getnumber(format, &inpos);
	if (argnum <= 0) {
		efree(result);
		efree(args);
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number 
must be greater than zero");
		return NULL;
	}
	multiuse = 1;
	inpos++;  /* skip the '$' */
} else {
-------------

I don't think we have to deal this more gracefully. Anyone?
 [2012-03-28 08:25 UTC] yohgaki@php.net 
php_sprintf_getnumber() compares with INT_MAX and returns -1, so this happens in 
64 bit architecture, too.
 [2012-03-28 08:25 UTC] yohgaki@php.net
-Status: Open +Status: Analyzed
 [2012-03-31 07:10 UTC] yohgaki@php.net 
Changed to Doc problem.
 [2012-03-31 07:10 UTC] yohgaki@php.net
-Type: Bug +Type: Documentation Problem
 [2012-11-12 02:14 UTC] aharvey@php.net 
Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=328312
Log: Add a note about position specifiers respecting PHP_INT_MAX.

Fixes doc bug #61531 (Integer Overflow in all printf functions).
 [2012-11-12 02:15 UTC] aharvey@php.net
-Status: Analyzed +Status: Closed -Package: Strings related +Package: Documentation problem -Assigned To: +Assigned To: aharvey
 [2012-11-12 02:15 UTC] aharvey@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Apr 04 00:01:30 2025 UTC