- Fixed phpinfo() cutoff of variables at \0. (Ilia)
- Fixed a bug in the filter extension that prevented magic_quotes_gpc from
being applied when RAW filter is used. (Ilia)
+- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
+ execution). (Tony)
- Fixed bug #38303 (spl_autoload_register() supress all errors silently).
(Ilia)
- Fixed bug #38289 (segfault in session_decode() when _SESSION is NULL).
if (*end == '$') {
format = end+1;
ch = format++;
- objIndex = varStart + value;
+ objIndex = varStart + value - 1;
}
}
switch (*ch) {
case 'n':
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
zend_uint refcount;
current = args[objIndex++];
}
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
zend_uint refcount;
current = args[objIndex++];
goto done;
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
zval_dtor( *current );
ZVAL_STRINGL( *current, string, end-string, 1);
value = (int) (*fn)(buf, NULL, base);
if ((flags & SCAN_UNSIGNED) && (value < 0)) {
sprintf(buf, "%u", value); /* INTL: ISO digit */
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
/* change passed value type to string */
current = args[objIndex++];
convert_to_string( *current );
add_index_string(*return_value, objIndex++, buf, 1);
}
} else {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_long( *current );
Z_LVAL(**current) = value;
double dvalue;
*end = '\0';
dvalue = zend_strtod(buf, NULL);
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_double( *current );
Z_DVAL_PP( current ) = dvalue;
projects / php / commitdiff