php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70914 zend_throw_or_error() format string vulnerability
Submitted: 2015-11-14 16:05 UTC Modified: 2015-12-07 21:32 UTC
From: taoguangchen at icloud dot com Assigned: ab (profile)
Status: Closed Package: *General Issues
PHP Version: 7.0.0RC7 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2015-11-14 16:05 UTC] taoguangchen at icloud dot com
Description:
------------
```
static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce, const char *format, ...) /* {{{ */
{
	va_list va;
	char *message = NULL;

	va_start(va, format);
	zend_vspprintf(&message, 0, format, va);

	if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
		zend_throw_error(exception_ce, message);
	} else {
		zend_error(E_ERROR, message);
	}

	efree(message);
	va_end(va);
}
```

PoC:
```
$db = new PDO('sqlite::memory:');
$st = $db->query('SELECT 1');
$re = $st->fetchObject('%Z');
```

fix:
```
zend_error(E_ERROR, "%s", message);
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-14 22:55 UTC] ab@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: ab
 [2015-11-14 22:55 UTC] ab@php.net
Huge thanks for the hint. As it's still an RC, marking this as security makes a little sense. I've just pushed a patch therefore.

Thanks.
 [2015-11-20 01:03 UTC] ab@php.net
Automatic comment on behalf of taoguangchen@icloud.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=327b8bf79c5762101ac99930129e2b3e13157c60
Log: Fixed bug #70914 zend_throw_or_error() format string vulnerability
 [2015-12-07 20:59 UTC] fernando at inova2b dot com dot br
Thats amazing!
 [2015-12-07 21:32 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of taoguangchen@icloud.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=617698dfe0f22bfa6041e6f0728136002d30d2bc
Log: Fixed bug #70914 zend_throw_or_error() format string vulnerability
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 04:01:27 2024 UTC