Hi, I discovered a bug in sprintf()'s argument swapping code. It accepts an argument number of zero, which is invalid. It is handled in different ways in different libcs, but i figured the best way to handle it in PHP was to make the functioncall fail. Patch is attached.
Best regards, Morten PS. Thanks to mbn for whining :-) -- Morten Poulsen <[EMAIL PROTECTED]> http://www.afdelingp.dk/
Index: ext/standard/formatted_print.c =================================================================== RCS file: /repository/php4/ext/standard/formatted_print.c,v retrieving revision 1.46 diff -u -r1.46 formatted_print.c --- ext/standard/formatted_print.c 28 Feb 2002 08:26:45 -0000 1.46 +++ ext/standard/formatted_print.c 21 Mar 2002 16:26:35 -0000 @@ -479,7 +479,12 @@ temppos = inpos; while (isdigit((int)format[temppos])) temppos++; if (format[temppos] == '$') { - argnum = php_sprintf_getnumber(format, &inpos); + if ((argnum = php_sprintf_getnumber(format, &inpos)) == 0) { + efree(result); + efree(args); + php_error(E_WARNING, "%s(): zero is not a valid argument number", get_active_function_name(TSRMLS_C)); + return NULL; + } inpos++; /* skip the '$' */ } else { argnum = currarg++; Index: tests/strings/002.phpt =================================================================== RCS file: /repository/php4/tests/strings/002.phpt,v retrieving revision 1.3 diff -u -r1.3 002.phpt --- tests/strings/002.phpt 9 Apr 2001 15:44:24 -0000 1.3 +++ tests/strings/002.phpt 21 Mar 2002 16:26:36 -0000 @@ -38,6 +38,7 @@ printf("printf test 27:%3\$d %d %d\n", 1, 2, 3); printf("printf test 28:%2\$02d %1\$2d\n", 1, 2); printf("printf test 29:%2\$-2d %1\$2d\n", 1, 2); +print("printf test 30:"); printf("%0\$s", 1); print("x\n"); ?> --EXPECT-- @@ -72,3 +73,4 @@ printf test 27:3 1 2 printf test 28:02 1 printf test 29:2 1 +printf test 30:x
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php