Edit report at https://bugs.php.net/bug.php?id=61531&edit=1
ID: 61531
Updated by: yohg...@php.net
Reported by: iblue at gmx dot net
Summary: Integer Overflow in all printf functions
-Status: Open
+Status: Analyzed
Type: Bug
Package: Strings related
Operating System: GNU/Linux
PHP Version: 5.4.0
Block user comment: N
Private report: N
New Comment:
php_sprintf_getnumber() compares with INT_MAX and returns -1, so this happens
in
64 bit architecture, too.
Previous Comments:
------------------------------------------------------------------------
[2012-03-28 08:21:51] yohg...@php.net
This happens because argnum is int and php_sprintf_getnumber() just returns -1
when there is overflow.
ext/standard/formatted_print.c
---------
if (format[temppos] == '$') {
argnum = php_sprintf_getnumber(format, &inpos);
if (argnum <= 0) {
efree(result);
efree(args);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number
must be greater than zero");
return NULL;
}
multiuse = 1;
inpos++; /* skip the '$' */
} else {
-------------
I don't think we have to deal this more gracefully. Anyone?
------------------------------------------------------------------------
[2012-03-27 21:07:12] iblue at gmx dot net
Description:
------------
There is an integer overflow in *printf.
Test script:
---------------
<?php
echo sprintf('%2147483646$s', "foo");
echo sprintf('%2147483647$s', "foo");
Expected result:
----------------
PHP Warning: sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning: sprintf(): Too few arguments in /home/iblue/test.php on line 3
Actual result:
--------------
PHP Warning: sprintf(): Too few arguments in /home/iblue/test.php on line 2
PHP Warning: sprintf(): Argument number must be greater than zero in
/home/iblue/test.php on line 3
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=61531&edit=1
