Hi, I discovered a bug in sprintf()'s argument swapping code. It accepts an argument number of zero, which is invalid. It is handled in different ways in different libcs, but i figured the best way to handle it in PHP was to make the functioncall fail. Patch is attached.
Best regards, Morten PS. Thanks to mbn for whining :-)
diff -ur php-4.1.2.orig/ext/standard/formatted_print.c php-4.1.2/ext/standard/formatted_print.c --- php-4.1.2.orig/ext/standard/formatted_print.c Fri Mar 15 16:33:12 2002 +++ php-4.1.2/ext/standard/formatted_print.c Fri Mar 15 17:12:29 2002 @@ -479,7 +479,12 @@ temppos = inpos; while (isdigit((int)format[temppos])) temppos++; if (format[temppos] == '$') { - argnum = php_sprintf_getnumber(format, &inpos); + if ((argnum = php_sprintf_getnumber(format, &inpos)) == 0) { + efree(result); + efree(args); + php_error(E_WARNING, "%s(): zero is not a valid argument number", get_active_function_name(TSRMLS_C)); + return NULL; + } inpos++; /* skip the '$' */ } else { argnum = currarg++; diff -ur php-4.1.2.orig/tests/strings/002.phpt php-4.1.2/tests/strings/002.phpt --- php-4.1.2.orig/tests/strings/002.phpt Fri Mar 15 16:33:13 2002 +++ php-4.1.2/tests/strings/002.phpt Fri Mar 15 17:10:28 2002 @@ -38,6 +38,7 @@ printf("printf test 27:%3\$d %d %d\n", 1, 2, 3); printf("printf test 28:%2\$02d %1\$2d\n", 1, 2); printf("printf test 29:%2\$-2d %1\$2d\n", 1, 2); +print("printf test 30:"); printf("%0\$s"); print("x\n"); ?> --EXPECT-- @@ -72,3 +73,4 @@ printf test 27:3 1 2 printf test 28:02 1 printf test 29:2 1 +printf test 30:x
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php