|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #61531 Integer Overflow in all printf functions
Submitted: 2012-03-27 21:07 UTC Modified: 2012-11-12 02:15 UTC
From: iblue at gmx dot net Assigned: aharvey (profile)
Status: Closed Package: Documentation problem
PHP Version: 5.4.0 OS: GNU/Linux
Private report: No CVE-ID: None
 [2012-03-27 21:07 UTC] iblue at gmx dot net
There is an integer overflow in *printf.

Test script:
echo sprintf('%2147483646$s', "foo");
echo sprintf('%2147483647$s', "foo");

Expected result:
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 3

Actual result:
PHP Warning:  sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning:  sprintf(): Argument number must be greater than zero in 
/home/iblue/test.php on line 3


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-28 08:21 UTC]
This happens because argnum is int and php_sprintf_getnumber() just returns -1 
when there is overflow.

if (format[temppos] == '$') {
	argnum = php_sprintf_getnumber(format, &inpos);
	if (argnum <= 0) {
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number 
must be greater than zero");
		return NULL;
	multiuse = 1;
	inpos++;  /* skip the '$' */
} else {

I don't think we have to deal this more gracefully. Anyone?
 [2012-03-28 08:25 UTC]
php_sprintf_getnumber() compares with INT_MAX and returns -1, so this happens in 
64 bit architecture, too.
 [2012-03-28 08:25 UTC]
-Status: Open +Status: Analyzed
 [2012-03-31 07:10 UTC]
Changed to Doc problem.
 [2012-03-31 07:10 UTC]
-Type: Bug +Type: Documentation Problem
 [2012-11-12 02:14 UTC]
Automatic comment from SVN on behalf of aharvey
Log: Add a note about position specifiers respecting PHP_INT_MAX.

Fixes doc bug #61531 (Integer Overflow in all printf functions).
 [2012-11-12 02:15 UTC]
-Status: Analyzed +Status: Closed -Package: Strings related +Package: Documentation problem -Assigned To: +Assigned To: aharvey
 [2012-11-12 02:15 UTC]
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Sep 30 00:03:42 2022 UTC