php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70914 zend_throw_or_error() format string vulnerability
Submitted: 2015-11-14 16:05 UTC Modified: 2015-12-07 21:32 UTC
From: taoguangchen at icloud dot com Assigned: ab
Status: Closed Package: *General Issues
PHP Version: 7.0.0RC7 OS: *
Private report: No CVE-ID:
 [2015-11-14 16:05 UTC] taoguangchen at icloud dot com
Description:
------------
```
static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce, const char *format, ...) /* {{{ */
{
	va_list va;
	char *message = NULL;

	va_start(va, format);
	zend_vspprintf(&message, 0, format, va);

	if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
		zend_throw_error(exception_ce, message);
	} else {
		zend_error(E_ERROR, message);
	}

	efree(message);
	va_end(va);
}
```

PoC:
```
$db = new PDO('sqlite::memory:');
$st = $db->query('SELECT 1');
$re = $st->fetchObject('%Z');
```

fix:
```
zend_error(E_ERROR, "%s", message);
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-14 22:55 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-11-14 22:55 UTC] ab@php.net
Huge thanks for the hint. As it's still an RC, marking this as security makes a little sense. I've just pushed a patch therefore.

Thanks.
 [2015-11-20 01:03 UTC] ab@php.net
Automatic comment on behalf of taoguangchen@icloud.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=327b8bf79c5762101ac99930129e2b3e13157c60
Log: Fixed bug #70914 zend_throw_or_error() format string vulnerability
 [2015-12-07 20:59 UTC] fernando at inova2b dot com dot br
Thats amazing!
 [2015-12-07 21:32 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of taoguangchen@icloud.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=617698dfe0f22bfa6041e6f0728136002d30d2bc
Log: Fixed bug #70914 zend_throw_or_error() format string vulnerability
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 06:01:37 2017 UTC