From: Ilia Alshanetsky <iliaa@php.net>
Date: Sat, 13 Jan 2007 16:32:29 +0000 (+0000)
Subject: MFB: Improve validation of argnum, width and precision.
X-Git-Tag: RELEASE_1_0_0RC1~274
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c4df94e10b02b8a261424b174dd0c6259fe1c43d;p=php

MFB: Improve validation of argnum, width and precision.
---

diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index 35ed348769..7d6903bf44 100644
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -591,7 +591,7 @@ php_u_sprintf_append2n(UChar **buffer, int *pos, int *size, long number,
 /* }}} */
 
 /* php_sprintf_getnumber() {{{ */
-inline static long
+inline static int
 php_sprintf_getnumber(char *buffer, int *pos)
 {
 	char *endptr;
@@ -603,7 +603,12 @@ php_sprintf_getnumber(char *buffer, int *pos)
 	}
 	PRINTF_DEBUG(("sprintf_getnumber: number was %d bytes long\n", i));
 	*pos += i;
-	return num;
+
+	if (num >= INT_MAX || num < 0) {
+		return -1;
+	} else {
+		return (int) num;
+	}
 }
 /* }}} */
 
@@ -651,10 +656,9 @@ static char * php_formatted_print(int ht, int *len, int use_array, int format_of
 {
 	zval ***args, **z_format;
 	int argc, size = 240, inpos = 0, outpos = 0, temppos;
-	int alignment, currarg, adjusting;
+	int alignment, currarg, adjusting, argnum, width, precision;
 	char *format, *result, padding;
 	int always_sign;
-	long argnum, width, precision;
 
 	argc = ZEND_NUM_ARGS();
 
@@ -728,10 +732,10 @@ static char * php_formatted_print(int ht, int *len, int use_array, int format_of
 				if (format[temppos] == '$') {
 					argnum = php_sprintf_getnumber(format, &inpos);
 
-					if (argnum == 0) {
+					if (argnum <= 0) {
 						efree(result);
 						efree(args);
-						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zero is not a valid argument number");
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number must be greater then zero.");
 						return NULL;
 					}
 
@@ -770,7 +774,12 @@ static char * php_formatted_print(int ht, int *len, int use_array, int format_of
 				/* after modifiers comes width */
 				if (isdigit((int)format[inpos])) {
 					PRINTF_DEBUG(("sprintf: getting width\n"));
-					width = php_sprintf_getnumber(format, &inpos);
+					if ((width = php_sprintf_getnumber(format, &inpos)) < 0) {
+						efree(result);
+						efree(args);
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Width must be greater then zero and less then %d.", INT_MAX);
+						return NULL;
+					}
 					adjusting |= ADJ_WIDTH;
 				} else {
 					width = 0;
@@ -782,7 +791,12 @@ static char * php_formatted_print(int ht, int *len, int use_array, int format_of
 					inpos++;
 					PRINTF_DEBUG(("sprintf: getting precision\n"));
 					if (isdigit((int)format[inpos])) {
-						precision = php_sprintf_getnumber(format, &inpos);
+						if ((precision = php_sprintf_getnumber(format, &inpos)) < 0) {
+							efree(result);
+							efree(args);
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Precision must be greater then zero and less then %d.", INT_MAX);
+							return NULL;
+						}
 						adjusting |= ADJ_PRECISION;
 						expprec = 1;
 					} else {