php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #61531 Integer Overflow in all printf functions
Submitted: 2012-03-27 21:07 UTC Modified: 2012-11-12 02:15 UTC
From: iblue at gmx dot net Assigned: aharvey (profile)
Status: Closed Package: Documentation problem
PHP Version: 5.4.0 OS: GNU/Linux
Private report: No CVE-ID: None
 [2012-03-27 21:07 UTC] iblue at gmx dot net
Description:
------------
There is an integer overflow in *printf.

Test script:
---------------
<?php
echo sprintf('%2147483646$s', "foo");
echo sprintf('%2147483647$s', "foo");


Expected result:
----------------
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 3


Actual result:
--------------
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning:  sprintf(): Argument number must be greater than zero in 
/home/iblue/test.php on line 3


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-28 08:21 UTC] yohgaki@php.net
This happens because argnum is int and php_sprintf_getnumber() just returns -1 
when there is overflow.

ext/standard/formatted_print.c
---------
if (format[temppos] == '$') {
	argnum = php_sprintf_getnumber(format, &inpos);
	if (argnum <= 0) {
		efree(result);
		efree(args);
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number 
must be greater than zero");
		return NULL;
	}
	multiuse = 1;
	inpos++;  /* skip the '$' */
} else {
-------------

I don't think we have to deal this more gracefully. Anyone?
 [2012-03-28 08:25 UTC] yohgaki@php.net
php_sprintf_getnumber() compares with INT_MAX and returns -1, so this happens in 
64 bit architecture, too.
 [2012-03-28 08:25 UTC] yohgaki@php.net
-Status: Open +Status: Analyzed
 [2012-03-31 07:10 UTC] yohgaki@php.net
Changed to Doc problem.
 [2012-03-31 07:10 UTC] yohgaki@php.net
-Type: Bug +Type: Documentation Problem
 [2012-11-12 02:14 UTC] aharvey@php.net
Automatic comment from SVN on behalf of aharvey
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=328312
Log: Add a note about position specifiers respecting PHP_INT_MAX.

Fixes doc bug #61531 (Integer Overflow in all printf functions).
 [2012-11-12 02:15 UTC] aharvey@php.net
-Status: Analyzed +Status: Closed -Package: Strings related +Package: Documentation problem -Assigned To: +Assigned To: aharvey
 [2012-11-12 02:15 UTC] aharvey@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Sep 30 00:03:42 2022 UTC