ID: 35978
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Feedback
Bug Type: Reproducible crash
Operating System: irrelevant
PHP Version: 6CVS-2006-01-12 (CVS)
Assigned To: helly
New Comment:
To reproduce this you need to write a PHP extension, because the
problem is in our spprintf/snprintf functions. You could try something
like
spprintf("blah%n", &x);
It should crash, because when %n is parsed it will write 4 to x and
then try to output what currently is within s and has the length s_len.
Because s_len is not initialised it will try to output a "random" number
of bytes stored at NULL. When %n is found it has to overjump the whole
output process.
You don't need a backtrace: it will crash in
static void xbuf_format_converter(smart_str *xbuf, const char *fmt,
va_list ap)
{
when it tries todo
/*
* Print the string s.
*/
INS_STRING(xbuf, s, s_len);
at the end of the function. Because s and s_len are not properly
initialised. %n should atleast set s_len to 0 if not overjump the
output step completely.
Previous Comments:
------------------------------------------------------------------------
[2006-01-12 14:22:50] [EMAIL PROTECTED]
Reproduce case and gdb backtrace are highly welcome.
------------------------------------------------------------------------
[2006-01-12 14:12:32] [EMAIL PROTECTED]
Description:
------------
%n is wrongly implemented in our low level printf functions.
When %n is used, it does not only write the char counter but also
agains outputs whatever is in the current string buffer. => crash when
%n is used first.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35978&edit=1
