tony2001 Fri Aug 4 11:49:18 2006 UTC
Modified files:
/php-src/ext/standard scanf.c
Log:
fix #38322 (reading past array in sscanf() leads to arbitary code execution)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.33&r2=1.34&diff_format=u
Index: php-src/ext/standard/scanf.c
diff -u php-src/ext/standard/scanf.c:1.33 php-src/ext/standard/scanf.c:1.34
--- php-src/ext/standard/scanf.c:1.33 Sun Jan 1 13:09:55 2006
+++ php-src/ext/standard/scanf.c Fri Aug 4 11:49:18 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: scanf.c,v 1.33 2006/01/01 13:09:55 sniper Exp $ */
+/* $Id: scanf.c,v 1.34 2006/08/04 11:49:18 tony2001 Exp $ */
/*
scanf.c --
@@ -732,7 +732,7 @@
if (*end == '$') {
format = end+1;
ch = format++;
- objIndex = varStart + value;
+ objIndex = varStart + value - 1;
}
}
@@ -762,7 +762,9 @@
switch (*ch) {
case 'n':
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
zend_uint refcount;
current = args[objIndex++];
@@ -888,7 +890,9 @@
}
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
zend_uint refcount;
current = args[objIndex++];
@@ -932,7 +936,9 @@
goto done;
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
zval_dtor( *current );
ZVAL_STRINGL( *current, string,
end-string, 1);
@@ -1089,7 +1095,9 @@
value = (int) (*fn)(buf, NULL, base);
if ((flags & SCAN_UNSIGNED) && (value <
0)) {
sprintf(buf, "%u", value); /*
INTL: ISO digit */
- if (numVars) {
+ if (numVars && objIndex >=
argCount) {
+ break;
+ } else if (numVars) {
/* change passed value type
to string */
current = args[objIndex++];
convert_to_string( *current
);
@@ -1098,7 +1106,9 @@
add_index_string(*return_value, objIndex++, buf, 1);
}
} else {
- if (numVars) {
+ if (numVars && objIndex >=
argCount) {
+ break;
+ } else if (numVars) {
current =
args[objIndex++];
convert_to_long(
*current );
Z_LVAL(**current) =
value;
@@ -1206,7 +1216,9 @@
double dvalue;
*end = '\0';
dvalue = zend_strtod(buf, NULL);
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_double( *current );
Z_DVAL_PP( current ) = dvalue;-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
