iliaa Sat Jan 13 16:31:17 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src/ext/standard formatted_print.c
Log:
Improve validation of argnum, width and precision.
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.82.2.1.2.12&r2=1.82.2.1.2.13&diff_format=u
Index: php-src/ext/standard/formatted_print.c
diff -u php-src/ext/standard/formatted_print.c:1.82.2.1.2.12
php-src/ext/standard/formatted_print.c:1.82.2.1.2.13
--- php-src/ext/standard/formatted_print.c:1.82.2.1.2.12 Fri Jan 12
02:03:59 2007
+++ php-src/ext/standard/formatted_print.c Sat Jan 13 16:31:17 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: formatted_print.c,v 1.82.2.1.2.12 2007/01/12 02:03:59 iliaa Exp $ */
+/* $Id: formatted_print.c,v 1.82.2.1.2.13 2007/01/13 16:31:17 iliaa Exp $ */
#include <math.h> /* modf() */
#include "php.h"
@@ -308,7 +308,7 @@
}
-inline static long
+inline static int
php_sprintf_getnumber(char *buffer, int *pos)
{
char *endptr;
@@ -320,7 +320,12 @@
}
PRINTF_DEBUG(("sprintf_getnumber: number was %d bytes long\n", i));
*pos += i;
- return num;
+
+ if (num >= INT_MAX || num < 0) {
+ return -1;
+ } else {
+ return (int) num;
+ }
}
/* {{{ php_formatted_print
@@ -352,10 +357,9 @@
{
zval ***args, **z_format;
int argc, size = 240, inpos = 0, outpos = 0, temppos;
- int alignment, currarg, adjusting;
+ int alignment, currarg, adjusting, argnum, width, precision;
char *format, *result, padding;
int always_sign;
- long argnum, width, precision;
argc = ZEND_NUM_ARGS();
@@ -429,10 +433,10 @@
if (format[temppos] == '$') {
argnum = php_sprintf_getnumber(format,
&inpos);
- if (argnum == 0) {
+ if (argnum <= 0) {
efree(result);
efree(args);
- php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Zero is not a valid argument number");
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Argument number must be greater then zero.");
return NULL;
}
@@ -471,7 +475,12 @@
/* after modifiers comes width */
if (isdigit((int)format[inpos])) {
PRINTF_DEBUG(("sprintf: getting
width\n"));
- width = php_sprintf_getnumber(format,
&inpos);
+ if ((width =
php_sprintf_getnumber(format, &inpos)) < 0) {
+ efree(result);
+ efree(args);
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Width must be greater then zero and less then %d.",
INT_MAX);
+ return NULL;
+ }
adjusting |= ADJ_WIDTH;
} else {
width = 0;
@@ -483,7 +492,12 @@
inpos++;
PRINTF_DEBUG(("sprintf: getting
precision\n"));
if (isdigit((int)format[inpos])) {
- precision =
php_sprintf_getnumber(format, &inpos);
+ if ((precision =
php_sprintf_getnumber(format, &inpos)) < 0) {
+ efree(result);
+ efree(args);
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Precision must be greater then zero and less then %d.",
INT_MAX);
+ return NULL;
+ }
adjusting |= ADJ_PRECISION;
expprec = 1;
} else {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
