Fixed bug #70914 zend_throw_or_error() format string vulnerability

2 files changed, 18 insertions, 1 deletions

diff --git a/Zend/tests/bug70914.phpt b/Zend/tests/bug70914.phpt
new file mode 100644
index 0000000000..7da64d7d92
--- /dev/null
+++ b/Zend/tests/bug70914.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #70895 null ptr deref and segfault with crafted callable
+--SKIPIF--
+<?php
+if (!extension_loaded("pdo_sqlite")) {
+	die("skip pdo_sqlite required");
+}
+?>
+--FILE--
+<?php
+
+$db = new PDO('sqlite::memory:');
+$st = $db->query('SELECT 1');
+$re = $st->fetchObject('%Z');
+?>
+--EXPECTREGEX--
+Fatal error: Class '%Z' not found in .+bug70914.php on line \d+
diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c
index 9d255edfd4..9979aac256 100644
--- a/Zend/zend_execute_API.c
+++ b/Zend/zend_execute_API.c
@@ -220,7 +220,7 @@ static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce,
 	if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
 		zend_throw_error(exception_ce, message);
 	} else {
-		zend_error(E_ERROR, message);
+		zend_error(E_ERROR, "%s", message);
 	}
 
 	efree(message);