From 30a5f3da99ba554e5553e4771a81402c20306640 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 22 Apr 2020 10:11:58 +0200
Subject: [PATCH] printf: Report error if missing padding character

---
 ext/standard/formatted_print.c           | 14 ++++++++++----
 ext/standard/tests/strings/bug67249.phpt |  8 ++++++--
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index f99187b1c8..52c7cc94d2 100644
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -470,10 +470,16 @@ php_formatted_print(char *format, size_t format_len, zval *args, int argc, int n
 						/* space padding, the default */
 					} else if (*format == '+') {
 						always_sign = 1;
-					} else if (*format == '\'' && format_len > 1) {
-						format++;
-						format_len--;
-						padding = *format;
+					} else if (*format == '\'') {
+						if (format_len > 1) {
+							format++;
+							format_len--;
+							padding = *format;
+						} else {
+							zend_value_error("Missing padding character");
+							zend_string_efree(result);
+							return NULL;
+						}
 					} else {
 						PRINTF_DEBUG(("sprintf: end of modifiers\n"));
 						break;
diff --git a/ext/standard/tests/strings/bug67249.phpt b/ext/standard/tests/strings/bug67249.phpt
index 6ea75289e6..a0e0843f4b 100644
--- a/ext/standard/tests/strings/bug67249.phpt
+++ b/ext/standard/tests/strings/bug67249.phpt
@@ -2,7 +2,11 @@
 Bug #67249 (printf out-of-bounds read)
 --FILE--
 <?php
-var_dump(sprintf("%'", "foo"));
+try {
+    var_dump(sprintf("%'", "foo"));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
-string(0) ""
+Missing padding character
-- 
2.50.1