ID: 35978 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: No Feedback +Status: Closed Bug Type: Reproducible crash -Operating System: irrelevant +Operating System: * -PHP Version: 6CVS-2006-01-12 (CVS) +PHP Version: 5.1.2 Assigned To: helly New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2006-01-20 01:00:04] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2006-01-12 14:38:10] [EMAIL PROTECTED] To reproduce this you need to write a PHP extension, because the problem is in our spprintf/snprintf functions. You could try something like spprintf("blah%n", &x); It should crash, because when %n is parsed it will write 4 to x and then try to output what currently is within s and has the length s_len. Because s_len is not initialised it will try to output a "random" number of bytes stored at NULL. When %n is found it has to overjump the whole output process. You don't need a backtrace: it will crash in static void xbuf_format_converter(smart_str *xbuf, const char *fmt, va_list ap) { when it tries todo /* * Print the string s. */ INS_STRING(xbuf, s, s_len); at the end of the function. Because s and s_len are not properly initialised. %n should atleast set s_len to 0 if not overjump the output step completely. ------------------------------------------------------------------------ [2006-01-12 14:22:50] [EMAIL PROTECTED] Reproduce case and gdb backtrace are highly welcome. ------------------------------------------------------------------------ [2006-01-12 14:12:32] [EMAIL PROTECTED] Description: ------------ %n is wrongly implemented in our low level printf functions. When %n is used, it does not only write the char counter but also agains outputs whatever is in the current string buffer. => crash when %n is used first. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=35978&edit=1
