ID: 38322
User updated by: heintz at hotmail dot com
Reported By: heintz at hotmail dot com
-Status: Feedback
+Status: Open
Bug Type: Strings related
Operating System: all
PHP Version: 5.1.4
New Comment:
the checkformat function checks the invalid numbers
by subtracting one but the scanning function doesnt
so seems to me the only problem here is that someone has forgotten to
subract 1
code from scanf.c line 737
} else if ( isdigit(UCHAR(*ch))) {
value = strtoul(format-1, &end, 10);
if (*end == '$') {
format = end+1;
ch = format++;
objIndex = varStart + value;
}
}
i think just by putting making a objIndex = varStart + value -1;
it would be secure and keep the functionality. though the if-s wont
hurt if you subract one so they can stay for insurance if performance
is not that big of a issue.
Previous Comments:
------------------------------------------------------------------------
[2006-08-04 09:28:06] [EMAIL PROTECTED]
Please check out this patch:
http://tony2001.phpclub.net/dev/tmp/bug38322.diff
------------------------------------------------------------------------
[2006-08-04 00:36:21] heintz at hotmail dot com
Description:
------------
ext/standard/scanf.c line ~887
---
if (numVars) {
current = args[objIndex++];
---
objIndex points past the end of array in other format cases too
Reproduce code:
---------------
sscanf('foo ','$1s',$str);
http://www.plain-text.info/sscanf_bug.txt - full description
Actual result:
--------------
will try to dereference a pointer to pointer which usually causes
segmentation fault
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38322&edit=1
