mirror of
https://github.com/php/php-src.git
synced 2024-11-28 04:14:26 +08:00
MFH: fix #38322 (reading past array in sscanf() leads to arbitary code execution)
This commit is contained in:
parent
00bc797b68
commit
afcbbe2b86
2
NEWS
2
NEWS
@ -30,6 +30,8 @@ PHP NEWS
|
||||
- Fixed phpinfo() cutoff of variables at \0. (Ilia)
|
||||
- Fixed a bug in the filter extension that prevented magic_quotes_gpc from
|
||||
being applied when RAW filter is used. (Ilia)
|
||||
- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
|
||||
execution). (Tony)
|
||||
- Fixed bug #38303 (spl_autoload_register() supress all errors silently).
|
||||
(Ilia)
|
||||
- Fixed bug #38289 (segfault in session_decode() when _SESSION is NULL).
|
||||
|
@ -732,7 +732,7 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
if (*end == '$') {
|
||||
format = end+1;
|
||||
ch = format++;
|
||||
objIndex = varStart + value;
|
||||
objIndex = varStart + value - 1;
|
||||
}
|
||||
}
|
||||
|
||||
@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
switch (*ch) {
|
||||
case 'n':
|
||||
if (!(flags & SCAN_SUPPRESS)) {
|
||||
if (numVars) {
|
||||
if (numVars && objIndex >= argCount) {
|
||||
break;
|
||||
} else if (numVars) {
|
||||
zend_uint refcount;
|
||||
|
||||
current = args[objIndex++];
|
||||
@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
}
|
||||
}
|
||||
if (!(flags & SCAN_SUPPRESS)) {
|
||||
if (numVars) {
|
||||
if (numVars && objIndex >= argCount) {
|
||||
break;
|
||||
} else if (numVars) {
|
||||
zend_uint refcount;
|
||||
|
||||
current = args[objIndex++];
|
||||
@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
goto done;
|
||||
}
|
||||
if (!(flags & SCAN_SUPPRESS)) {
|
||||
if (numVars) {
|
||||
if (numVars && objIndex >= argCount) {
|
||||
break;
|
||||
} else if (numVars) {
|
||||
current = args[objIndex++];
|
||||
zval_dtor( *current );
|
||||
ZVAL_STRINGL( *current, string, end-string, 1);
|
||||
@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
value = (int) (*fn)(buf, NULL, base);
|
||||
if ((flags & SCAN_UNSIGNED) && (value < 0)) {
|
||||
sprintf(buf, "%u", value); /* INTL: ISO digit */
|
||||
if (numVars) {
|
||||
if (numVars && objIndex >= argCount) {
|
||||
break;
|
||||
} else if (numVars) {
|
||||
/* change passed value type to string */
|
||||
current = args[objIndex++];
|
||||
convert_to_string( *current );
|
||||
@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
add_index_string(*return_value, objIndex++, buf, 1);
|
||||
}
|
||||
} else {
|
||||
if (numVars) {
|
||||
if (numVars && objIndex >= argCount) {
|
||||
break;
|
||||
} else if (numVars) {
|
||||
current = args[objIndex++];
|
||||
convert_to_long( *current );
|
||||
Z_LVAL(**current) = value;
|
||||
@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal( char *string, char *format,
|
||||
double dvalue;
|
||||
*end = '\0';
|
||||
dvalue = zend_strtod(buf, NULL);
|
||||
if (numVars) {
|
||||
if (numVars && objIndex >= argCount) {
|
||||
break;
|
||||
} else if (numVars) {
|
||||
current = args[objIndex++];
|
||||
convert_to_double( *current );
|
||||
Z_DVAL_PP( current ) = dvalue;
|
||||
|
Loading…
Reference in New Issue
Block a user