tony2001 Fri Aug 4 11:59:50 2006 UTC
Modified files: (Branch: PHP_4_4)
/php-src/ext/standard scanf.c
/php-src NEWS
Log:
MFH: fix #38322 (reading past array in sscanf() leads to arbitary code
execution)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.16.4.9.2.1&r2=1.16.4.9.2.2&diff_format=u
Index: php-src/ext/standard/scanf.c
diff -u php-src/ext/standard/scanf.c:1.16.4.9.2.1
php-src/ext/standard/scanf.c:1.16.4.9.2.2
--- php-src/ext/standard/scanf.c:1.16.4.9.2.1 Sun Jan 1 13:46:58 2006
+++ php-src/ext/standard/scanf.c Fri Aug 4 11:59:50 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: scanf.c,v 1.16.4.9.2.1 2006/01/01 13:46:58 sniper Exp $ */
+/* $Id: scanf.c,v 1.16.4.9.2.2 2006/08/04 11:59:50 tony2001 Exp $ */
/*
scanf.c --
@@ -732,7 +732,7 @@
if (*end == '$') {
format = end+1;
ch = format++;
- objIndex = varStart + value;
+ objIndex = varStart + value - 1;
}
}
@@ -762,8 +762,10 @@
switch (*ch) {
case 'n':
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
- current = args[objIndex++];
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
+ current = args[objIndex++];
zval_dtor( *current );
ZVAL_LONG( *current, (long)(string - baseString) );
} else {
@@ -883,8 +885,10 @@
}
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
- current = args[objIndex++];
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
+ current = args[objIndex++];
zval_dtor( *current );
ZVAL_STRINGL( *current, string,
end-string, 1);
} else {
@@ -922,7 +926,9 @@
goto done;
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
zval_dtor( *current );
ZVAL_STRINGL( *current, string, end-string, 1);
@@ -1079,8 +1085,10 @@
value = (int) (*fn)(buf, NULL, base);
if ((flags & SCAN_UNSIGNED) && (value < 0)) {
sprintf(buf, "%u", value); /* INTL: ISO digit */
- if (numVars) {
- /* change passed value type to string */
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
+ /* change passed value type to string */
current = args[objIndex++];
convert_to_string( *current );
ZVAL_STRING( *current, buf, 1 );
@@ -1088,7 +1096,9 @@
add_index_string(*return_value, objIndex++, buf, 1);
}
} else {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_long( *current );
Z_LVAL(**current) = value;
@@ -1196,7 +1206,9 @@
double dvalue;
*end = '\0';
dvalue = zend_strtod(buf, NULL);
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_double( *current );
Z_DVAL_PP( current ) = dvalue;
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.147&r2=1.1247.2.920.2.148&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.147 php-src/NEWS:1.1247.2.920.2.148
--- php-src/NEWS:1.1247.2.920.2.147 Tue Aug 1 12:04:14 2006
+++ php-src/NEWS Fri Aug 4 11:59:50 2006
@@ -1,6 +1,8 @@
PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2006, Version 4.4.4
+- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
+ execution). (Tony)
- Fixed bug #38278 (session_cache_expire()'s value does not match phpinfo's
session.cache_expire). (Tony)
- Fixed bug #38251 (socket_select() and invalid arguments). (Tony)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
