MFH: fix #38322 (reading past array in sscanf() leads to arbitary code execution)

2024-11-28 12:26:37 +08:00 · 2006-08-04 11:50:15 +00:00 · 2006-08-04 11:50:15 +00:00 · afcbbe2b86
commit afcbbe2b86
parent 00bc797b68
2 changed files with 21 additions and 7 deletions
--- a/2
+++ b/2
@ -30,6 +30,8 @@ PHP                                                                        NEWS
 - Fixed phpinfo() cutoff of variables at \0. (Ilia)
 - Fixed a bug in the filter extension that prevented magic_quotes_gpc from
  being applied when RAW filter is used. (Ilia)
+- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code 
+  execution). (Tony)
 - Fixed bug #38303 (spl_autoload_register() supress all errors silently).
  (Ilia)
 - Fixed bug #38289 (segfault in session_decode() when _SESSION is NULL). 
--- a/ext/standard/scanf.c
+++ b/ext/standard/scanf.c
@ -732,7 +732,7 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 			if (*end == '$') {
 				format = end+1;
 				ch = format++;
-				objIndex = varStart + value;
+				objIndex = varStart + value - 1;
 			}
 		}

@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 		switch (*ch) {
 			case 'n':
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						zend_uint refcount;

 						current = args[objIndex++];
@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 					}
 				}
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						zend_uint refcount;

 						current = args[objIndex++];
@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 					goto done;
 				}
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						current = args[objIndex++];
 						zval_dtor( *current );
 						ZVAL_STRINGL( *current, string, end-string, 1);
@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 					value = (int) (*fn)(buf, NULL, base);
 					if ((flags & SCAN_UNSIGNED) && (value < 0)) {
 						sprintf(buf, "%u", value); /* INTL: ISO digit */
-						if (numVars) {
+						if (numVars && objIndex >= argCount) {
+							break;
+						} else if (numVars) {
 						  /* change passed value type to string */
 						   current = args[objIndex++];
 						   convert_to_string( *current );
@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 							add_index_string(*return_value, objIndex++, buf, 1);
 						}
 					} else {
-						if (numVars) {
+						if (numVars && objIndex >= argCount) {
+							break;
+						} else if (numVars) {
 							current = args[objIndex++];
 							convert_to_long( *current );
 							Z_LVAL(**current) = value;
@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal(	char *string, char *format,
 					double dvalue;
 					*end = '\0';
 					dvalue = zend_strtod(buf, NULL);
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						current = args[objIndex++];
 						convert_to_double( *current );
 						Z_DVAL_PP( current ) = dvalue;