diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2007-01-13 16:31:17 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2007-01-13 16:31:17 +0000 |
| commit | f7d1d3ef445eb9261ebb761bc00aeb3c70fedbf0 (patch) | |
| tree | 0727671c31b487b886e7127bb88ec8c435659b62 | |
| parent | 8815fdf5e0536698488fe01b231c99bb321fae77 (diff) | |
| download | php-git-f7d1d3ef445eb9261ebb761bc00aeb3c70fedbf0.tar.gz | |
Improve validation of argnum, width and precision.
| -rw-r--r-- | ext/standard/formatted_print.c | 30 |
1 files changed, 22 insertions, 8 deletions
diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c index 0888818a17..915f4979d0 100644 --- a/ext/standard/formatted_print.c +++ b/ext/standard/formatted_print.c @@ -308,7 +308,7 @@ php_sprintf_append2n(char **buffer, int *pos, int *size, long number, } -inline static long +inline static int php_sprintf_getnumber(char *buffer, int *pos) { char *endptr; @@ -320,7 +320,12 @@ php_sprintf_getnumber(char *buffer, int *pos) } PRINTF_DEBUG(("sprintf_getnumber: number was %d bytes long\n", i)); *pos += i; - return num; + + if (num >= INT_MAX || num < 0) { + return -1; + } else { + return (int) num; + } } /* {{{ php_formatted_print @@ -352,10 +357,9 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC { zval ***args, **z_format; int argc, size = 240, inpos = 0, outpos = 0, temppos; - int alignment, currarg, adjusting; + int alignment, currarg, adjusting, argnum, width, precision; char *format, *result, padding; int always_sign; - long argnum, width, precision; argc = ZEND_NUM_ARGS(); @@ -429,10 +433,10 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC if (format[temppos] == '$') { argnum = php_sprintf_getnumber(format, &inpos); - if (argnum == 0) { + if (argnum <= 0) { efree(result); efree(args); - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zero is not a valid argument number"); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number must be greater then zero."); return NULL; } @@ -471,7 +475,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC /* after modifiers comes width */ if (isdigit((int)format[inpos])) { PRINTF_DEBUG(("sprintf: getting width\n")); - width = php_sprintf_getnumber(format, &inpos); + if ((width = php_sprintf_getnumber(format, &inpos)) < 0) { + efree(result); + efree(args); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Width must be greater then zero and less then %d.", INT_MAX); + return NULL; + } adjusting |= ADJ_WIDTH; } else { width = 0; @@ -483,7 +492,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC inpos++; PRINTF_DEBUG(("sprintf: getting precision\n")); if (isdigit((int)format[inpos])) { - precision = php_sprintf_getnumber(format, &inpos); + if ((precision = php_sprintf_getnumber(format, &inpos)) < 0) { + efree(result); + efree(args); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Precision must be greater then zero and less then %d.", INT_MAX); + return NULL; + } adjusting |= ADJ_PRECISION; expprec = 1; } else { |