iliaa Sat Jan 13 16:31:36 2007 UTC
Modified files: (Branch: PHP_4_4)
/php-src/ext/standard formatted_print.c
Log:
MFH: Improve validation of argnum, width and precision.
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.59.2.15.2.3&r2=1.59.2.15.2.4&diff_format=u
Index: php-src/ext/standard/formatted_print.c
diff -u php-src/ext/standard/formatted_print.c:1.59.2.15.2.3
php-src/ext/standard/formatted_print.c:1.59.2.15.2.4
--- php-src/ext/standard/formatted_print.c:1.59.2.15.2.3 Fri Jan 12
02:04:37 2007
+++ php-src/ext/standard/formatted_print.c Sat Jan 13 16:31:36 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: formatted_print.c,v 1.59.2.15.2.3 2007/01/12 02:04:37 iliaa Exp $ */
+/* $Id: formatted_print.c,v 1.59.2.15.2.4 2007/01/13 16:31:36 iliaa Exp $ */
#include <math.h> /* modf() */
#include "php.h"
@@ -441,7 +441,7 @@
}
-inline static long
+inline static int
php_sprintf_getnumber(char *buffer, int *pos)
{
char *endptr;
@@ -453,7 +453,12 @@
}
PRINTF_DEBUG(("sprintf_getnumber: number was %d bytes long\n", i));
*pos += i;
- return num;
+
+ if (num >= INT_MAX || num < 0) {
+ return -1;
+ } else {
+ return (int) num;
+ }
}
/* {{{ php_formatted_print
@@ -486,10 +491,9 @@
{
zval ***args, **z_format, **array;
int argc, size = 240, inpos = 0, outpos = 0, temppos;
- int alignment, currarg, adjusting;
+ int alignment, currarg, adjusting, argnum, width, precision;
char *format, *result, padding;
int always_sign;
- long argnum, width, precision;
argc = ZEND_NUM_ARGS();
@@ -553,10 +557,10 @@
if (format[temppos] == '$') {
argnum = php_sprintf_getnumber(format,
&inpos);
- if (argnum == 0) {
+ if (argnum <= 0) {
efree(result);
efree(args);
- php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Zero is not a valid argument number");
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Argument number must be greater then zero.");
return NULL;
}
@@ -593,7 +597,12 @@
/* after modifiers comes width */
if (isdigit((int)format[inpos])) {
PRINTF_DEBUG(("sprintf: getting
width\n"));
- width = php_sprintf_getnumber(format,
&inpos);
+ if ((width =
php_sprintf_getnumber(format, &inpos)) < 0) {
+ efree(result);
+ efree(args);
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Width must be greater then zero and less then %d.",
INT_MAX);
+ return NULL;
+ }
adjusting |= ADJ_WIDTH;
} else {
width = 0;
@@ -605,7 +614,12 @@
inpos++;
PRINTF_DEBUG(("sprintf: getting
precision\n"));
if (isdigit((int)format[inpos])) {
- precision =
php_sprintf_getnumber(format, &inpos);
+ if ((precision =
php_sprintf_getnumber(format, &inpos)) < 0) {
+ efree(result);
+ efree(args);
+ php_error_docref(NULL
TSRMLS_CC, E_WARNING, "Precision must be greater then zero and less then %d.",
INT_MAX);
+ return NULL;
+ }
adjusting |= ADJ_PRECISION;
expprec = 1;
} else {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
