PHP :: Sec Bug #67249 :: printf out-of-bounds read

[2014-05-12 01:35 UTC] stas@php.net

Description:
------------
printf does not check bounds properly when parsing padding specifier (single quote) which may lead to read of string past the end of the buffer. 

Test script:
---------------
printf("%’", "foo")

Expected result:
----------------
""

Actual result:
--------------
==17598== Conditional jump or move depends on uninitialised value(s)
==17598==    at 0x77EA6A: php_formatted_print (formatted_print.c:504)
==17598==    by 0x77F7B5: zif_user_sprintf (formatted_print.c:671)
==17598==    by 0x8FA5E2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==17598==    by 0x8EBE7F: execute_ex (zend_vm_execute.h:363)
==17598==    by 0x86A089: zend_eval_stringl (zend_execute_API.c:1187)
==17598==    by 0x86A168: zend_eval_stringl_ex (zend_execute_API.c:1234)
==17598==    by 0x928472: do_cli (php_cli.c:1034)
==17598==    by 0x928EB7: main (php_cli.c:1378)

[2014-05-12 01:40 UTC] stas@php.net

Test script should be printf("%'", "foo") (no unicode chars)

[2014-05-27 19:21 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2014-05-27 19:21 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.