From d780c2a673ef25166aaec994f14bfec4f57ab8dd Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 11 May 2014 18:44:14 -0700
Subject: [PATCH] Fix bug #67249: printf out-of-bounds read

---
 ext/standard/formatted_print.c           | 6 ++++--
 ext/standard/tests/strings/bug67249.phpt | 8 ++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/strings/bug67249.phpt

diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index d69b79bf3d..383ca1a5bb 100644
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -379,6 +379,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
 	int alignment, currarg, adjusting, argnum, width, precision;
 	char *format, *result, padding;
 	int always_sign;
+	int format_len;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", &args, &argc) == FAILURE) {
 		return NULL;
@@ -417,11 +418,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
 	
 	convert_to_string_ex(args[format_offset]);
 	format = Z_STRVAL_PP(args[format_offset]);
+	format_len = Z_STRLEN_PP(args[format_offset]);
 	result = emalloc(size);
 
 	currarg = 1;
 
-	while (inpos<Z_STRLEN_PP(args[format_offset])) {
+	while (inpos<format_len) {
 		int expprec = 0, multiuse = 0;
 		zval *tmp;
 
@@ -476,7 +478,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
 						/* space padding, the default */
 					} else if (format[inpos] == '+') {
 						always_sign = 1;
-					} else if (format[inpos] == '\'') {
+					} else if (format[inpos] == '\'' && inpos+1<format_len) {
 						padding = format[++inpos];
 					} else {
 						PRINTF_DEBUG(("sprintf: end of modifiers\n"));
diff --git a/ext/standard/tests/strings/bug67249.phpt b/ext/standard/tests/strings/bug67249.phpt
new file mode 100644
index 0000000000..6ea75289e6
--- /dev/null
+++ b/ext/standard/tests/strings/bug67249.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #67249 (printf out-of-bounds read)
+--FILE--
+<?php
+var_dump(sprintf("%'", "foo"));
+?>
+--EXPECT--
+string(0) ""
-- 
2.40.0