php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75067 Passing of unterminated C string as argument to %s in format string
Submitted: 2017-08-12 17:33 UTC Modified: 2021-01-15 14:07 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: enclaved at safe-mail dot net Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: 7.1.8 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: enclaved at safe-mail dot net
New email:
PHP Version: OS:

 

 [2017-08-12 17:33 UTC] enclaved at safe-mail dot net
Description:
------------
Zend/zend_API.h, around line 580:

#define CHECK_ZVAL_STRING(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s)", ZSTR_VAL(str)); }
#define CHECK_ZVAL_STRING_REL(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", ZSTR_VAL(str) ZEND_FILE_LINE_RELAY_CC); }

Both of these macros pass unterminated C strings (as far as zend_string is concerned) to zend_error() as arguments to the %s format string conversion specifier. Regardless of whether the strings are implicitly terminated by whatever allocation method they use, this is generally a very bad practice from the common C format string usage semantics. If a truly unterminated C string wrapped in zend_string is passed to one of these macros, it will almost certainly result in delivery of SIGBUS (or SIGSEGV on some platforms).

Please make a terminated copy of the string in question with estrndup() or similar means, giving ZSTR_LEN() as an explicit length.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-15 14:07 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-01-15 14:07 UTC] cmb@php.net
This has been fixed[1] in the meantime (available as of PHP
8.0.0).  Regarding prior PHP versions, this is not really an
issue, since it would affect debug builds only, and it is not
supposed to happen anyway.

[1] <http://git.php.net/?p=php-src.git;a=commit;h=ef9ab9159b409c6d3ea184b4ba88764d85c4133b>
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jan 18 20:01:24 2021 UTC