|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75067 Passing of unterminated C string as argument to %s in format string
Submitted: 2017-08-12 17:33 UTC Modified: 2021-01-15 14:07 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: enclaved at safe-mail dot net Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.1.8 OS: All
Private report: No CVE-ID: None
 [2017-08-12 17:33 UTC] enclaved at safe-mail dot net
Zend/zend_API.h, around line 580:

#define CHECK_ZVAL_STRING(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s)", ZSTR_VAL(str)); }
#define CHECK_ZVAL_STRING_REL(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", ZSTR_VAL(str) ZEND_FILE_LINE_RELAY_CC); }

Both of these macros pass unterminated C strings (as far as zend_string is concerned) to zend_error() as arguments to the %s format string conversion specifier. Regardless of whether the strings are implicitly terminated by whatever allocation method they use, this is generally a very bad practice from the common C format string usage semantics. If a truly unterminated C string wrapped in zend_string is passed to one of these macros, it will almost certainly result in delivery of SIGBUS (or SIGSEGV on some platforms).

Please make a terminated copy of the string in question with estrndup() or similar means, giving ZSTR_LEN() as an explicit length.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-15 14:07 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-01-15 14:07 UTC]
This has been fixed[1] in the meantime (available as of PHP
8.0.0).  Regarding prior PHP versions, this is not really an
issue, since it would affect debug builds only, and it is not
supposed to happen anyway.

[1] <;a=commit;h=ef9ab9159b409c6d3ea184b4ba88764d85c4133b>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 13:01:30 2024 UTC