|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75067 Passing of unterminated C string as argument to %s in format string
Submitted: 2017-08-12 17:33 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: enclaved at safe-mail dot net Assigned:
Status: Open Package: Strings related
PHP Version: 7.1.8 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: enclaved at safe-mail dot net
New email:
PHP Version: OS:


 [2017-08-12 17:33 UTC] enclaved at safe-mail dot net
Zend/zend_API.h, around line 580:

#define CHECK_ZVAL_STRING(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s)", ZSTR_VAL(str)); }
#define CHECK_ZVAL_STRING_REL(str) \
    if (ZSTR_VAL(str)[ZSTR_LEN(str)] != '\0') { zend_error(E_WARNING, "String is not zero-terminated (%s) (source: %s:%d)", ZSTR_VAL(str) ZEND_FILE_LINE_RELAY_CC); }

Both of these macros pass unterminated C strings (as far as zend_string is concerned) to zend_error() as arguments to the %s format string conversion specifier. Regardless of whether the strings are implicitly terminated by whatever allocation method they use, this is generally a very bad practice from the common C format string usage semantics. If a truly unterminated C string wrapped in zend_string is passed to one of these macros, it will almost certainly result in delivery of SIGBUS (or SIGSEGV on some platforms).

Please make a terminated copy of the string in question with estrndup() or similar means, giving ZSTR_LEN() as an explicit length.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Oct 23 06:01:24 2020 UTC