ID: 38322 Updated by: [EMAIL PROTECTED] Reported By: heintz at hotmail dot com -Status: Open +Status: Closed Bug Type: Strings related Operating System: all PHP Version: 5.1.4 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2006-08-04 11:36:16] heintz at hotmail dot com the checkformat function checks the invalid numbers by subtracting one but the scanning function doesnt so seems to me the only problem here is that someone has forgotten to subract 1 code from scanf.c line 737 } else if ( isdigit(UCHAR(*ch))) { value = strtoul(format-1, &end, 10); if (*end == '$') { format = end+1; ch = format++; objIndex = varStart + value; } } i think just by putting making a objIndex = varStart + value -1; it would be secure and keep the functionality. though the if-s wont hurt if you subract one so they can stay for insurance if performance is not that big of a issue. ------------------------------------------------------------------------ [2006-08-04 09:28:06] [EMAIL PROTECTED] Please check out this patch: http://tony2001.phpclub.net/dev/tmp/bug38322.diff ------------------------------------------------------------------------ [2006-08-04 00:36:21] heintz at hotmail dot com Description: ------------ ext/standard/scanf.c line ~887 --- if (numVars) { current = args[objIndex++]; --- objIndex points past the end of array in other format cases too Reproduce code: --------------- sscanf('foo ','$1s',$str); http://www.plain-text.info/sscanf_bug.txt - full description Actual result: -------------- will try to dereference a pointer to pointer which usually causes segmentation fault ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38322&edit=1
