-- Multiple places 'spprintf' is called with a NULL 'pbuf', which passes itself to vspprintf, which dereferences it.
Although most places check whether 'pbuf'(normally called 'error') is null, it is smarter to check it inside the function that requires a non-null value. This will avoid future problems, too. See bug #68839 [https://bugs.php.net/bug.php?id=68839] for an example of NULL being passed to spprintf. There are multiple other places checks are not used to confirm error/pbuf is not null. --- main/spprintf.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/main/spprintf.c b/main/spprintf.c index cd14882..ba12868 100644 --- a/main/spprintf.c +++ b/main/spprintf.c @@ -840,6 +840,17 @@ PHPAPI size_t vspprintf(char **pbuf, size_t max_len, const char *format, va_list smart_string buf = {0}; size_t result; + + /* + * Test 'pbuf'(also known as 'error') against NULL, + * since it is called multiple places without + * checking against NULL, causing null pointer + *dereferences. + */ + if(!pbuf) { + return 0; + } + xbuf_format_converter(&buf, 1, format, ap); if (max_len && buf.len > max_len) { -- 1.9.1 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
