php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75067 Passing of unterminated C string as argument to %s in format string
Submitted: 2017-08-12 17:33 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: enclaved at safe-mail dot net Assigned:
Status: Open Package: Strings related
PHP Version: 7.1.8 OS: All
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-08-12 17:33 UTC] enclaved at safe-mail dot net
Description:
------------
Zend/zend_API.h, around line 580:

#define CHECK_ZVAL_STRING(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s)", ZSTR_VAL(str)); }
#define CHECK_ZVAL_STRING_REL(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", ZSTR_VAL(str) ZEND_FILE_LINE_RELAY_CC); }

Both of these macros pass unterminated C strings (as far as zend_string is concerned) to zend_error() as arguments to the %s format string conversion specifier. Regardless of whether the strings are implicitly terminated by whatever allocation method they use, this is generally a very bad practice from the common C format string usage semantics. If a truly unterminated C string wrapped in zend_string is passed to one of these macros, it will almost certainly result in delivery of SIGBUS (or SIGSEGV on some platforms).

Please make a terminated copy of the string in question with estrndup() or similar means, giving ZSTR_LEN() as an explicit length.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC