standard scanf.c

Antony Dovgal Fri, 04 Aug 2006 13:34:43 -0700

tony2001                Fri Aug  4 20:34:31 2006 UTC

  Modified files:              (Branch: PHP_5_1)
    /php-src    NEWS 
    /php-src/ext/standard       scanf.c 
  Log:
  MFH: fix #38322 (reading past array in sscanf() leads to arbitary code 
execution)
  
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.561&r2=1.2027.2.562&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.561 php-src/NEWS:1.2027.2.562
--- php-src/NEWS:1.2027.2.561   Mon Jul 17 21:13:33 2006
+++ php-src/NEWS        Fri Aug  4 20:34:31 2006
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, PHP 5.1.5
+- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
+  execution). (Tony)
 - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus)
 - Fixed bug #37587 (var without attribute causes segfault). (Marcus)
 - Fixed bug #37576 (FastCGI env (cgi vars) table overflow). (Piotr)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.3&diff_format=u
Index: php-src/ext/standard/scanf.c
diff -u php-src/ext/standard/scanf.c:1.31.2.2 
php-src/ext/standard/scanf.c:1.31.2.3
--- php-src/ext/standard/scanf.c:1.31.2.2       Sun Jan  1 12:50:15 2006
+++ php-src/ext/standard/scanf.c        Fri Aug  4 20:34:31 2006
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: scanf.c,v 1.31.2.2 2006/01/01 12:50:15 sniper Exp $ */
+/* $Id: scanf.c,v 1.31.2.3 2006/08/04 20:34:31 tony2001 Exp $ */
 
 /*
    scanf.c --
@@ -732,7 +732,7 @@
                        if (*end == '$') {
                                format = end+1;
                                ch = format++;
-                               objIndex = varStart + value;
+                               objIndex = varStart + value - 1;
                        }
                }
 
@@ -762,7 +762,9 @@
                switch (*ch) {
                        case 'n':
                                if (!(flags & SCAN_SUPPRESS)) {
-                                       if (numVars) {
+                                       if (numVars && objIndex >= argCount) {
+                                               break;
+                                       } else if (numVars) {
                                                zend_uint refcount;
 
                                                current = args[objIndex++];
@@ -888,7 +890,9 @@
                                        }
                                }
                                if (!(flags & SCAN_SUPPRESS)) {
-                                       if (numVars) {
+                                       if (numVars && objIndex >= argCount) {
+                                               break;
+                                       } else if (numVars) {
                                                zend_uint refcount;
 
                                                current = args[objIndex++];
@@ -932,7 +936,9 @@
                                        goto done;
                                }
                                if (!(flags & SCAN_SUPPRESS)) {
-                                       if (numVars) {
+                                       if (numVars && objIndex >= argCount) {
+                                               break;
+                                       } else if (numVars) {
                                                current = args[objIndex++];
                                                zval_dtor( *current );
                                                ZVAL_STRINGL( *current, string, 
end-string, 1);
@@ -1089,7 +1095,9 @@
                                        value = (int) (*fn)(buf, NULL, base);
                                        if ((flags & SCAN_UNSIGNED) && (value < 
0)) {
                                                sprintf(buf, "%u", value); /* 
INTL: ISO digit */
-                                               if (numVars) {
+                                               if (numVars && objIndex >= 
argCount) {
+                                                       break;
+                                               } else if (numVars) {
                                                  /* change passed value type 
to string */
                                                   current = args[objIndex++];
                                                   convert_to_string( *current 
);
@@ -1098,7 +1106,9 @@
                                                        
add_index_string(*return_value, objIndex++, buf, 1);
                                                }
                                        } else {
-                                               if (numVars) {
+                                               if (numVars && objIndex >= 
argCount) {
+                                                       break;
+                                               } else if (numVars) {
                                                        current = 
args[objIndex++];
                                                        convert_to_long( 
*current );
                                                        Z_LVAL(**current) = 
value;
@@ -1206,7 +1216,9 @@
                                        double dvalue;
                                        *end = '\0';
                                        dvalue = zend_strtod(buf, NULL);
-                                       if (numVars) {
+                                       if (numVars && objIndex >= argCount) {
+                                               break;
+                                       } else if (numVars) {
                                                current = args[objIndex++];
                                                convert_to_double( *current );
                                                Z_DVAL_PP( current ) = dvalue;


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_5_1) / NEWS /ext/standard scanf.c

Reply via email to