php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #67249 printf out-of-bounds read
Submitted: 2014-05-12 01:35 UTC Modified: 2014-05-27 19:21 UTC
From: [email protected] Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.28 OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2014-05-12 01:35 UTC] [email protected] 
Description:
------------
printf does not check bounds properly when parsing padding specifier (single quote) which may lead to read of string past the end of the buffer. 

Test script:
---------------
printf("%’", "foo")

Expected result:
----------------
""

Actual result:
--------------
==17598== Conditional jump or move depends on uninitialised value(s)
==17598==    at 0x77EA6A: php_formatted_print (formatted_print.c:504)
==17598==    by 0x77F7B5: zif_user_sprintf (formatted_print.c:671)
==17598==    by 0x8FA5E2: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==17598==    by 0x8EBE7F: execute_ex (zend_vm_execute.h:363)
==17598==    by 0x86A089: zend_eval_stringl (zend_execute_API.c:1187)
==17598==    by 0x86A168: zend_eval_stringl_ex (zend_execute_API.c:1234)
==17598==    by 0x928472: do_cli (php_cli.c:1034)
==17598==    by 0x928EB7: main (php_cli.c:1378)

Patches

fix-printf (last revision 2014-05-12 01:47 UTC by [email protected])

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-12 01:40 UTC] [email protected] 
Test script should be printf("%'", "foo") (no unicode chars)
 [2014-05-12 01:47 UTC] [email protected] 
The following patch has been added/updated:

Patch Name: fix-printf
Revision:   1399859257
URL:        https://bugs.php.net/patch-display.php?bug=67249&patch=fix-printf&revision=1399859257
 [2014-05-27 19:21 UTC] [email protected]
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2014-05-27 19:21 UTC] [email protected] 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2014-06-01 15:05 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-06-04 01:22 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-06-06 07:00 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-06-06 07:07 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-07-29 21:57 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-08-14 15:34 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-08-14 19:32 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:14 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:15 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:25 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=d780c2a673ef25166aaec994f14bfec4f57ab8dd
Log: Fix bug #67249: printf out-of-bounds read
 [2014-10-07 23:26 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=091b7642c2d8a087d3cbcba681369abfb964330d
Log: Fix bug #67249: printf out-of-bounds read
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Jul 14 04:01:33 2025 UTC