Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4:
  update NEWS
  Fix bug #67249: printf out-of-bounds read

NEWS

@@ -27,6 +27,7 @@ PHP                                                                        NEWS
   . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in
     zend_exceptions.c). (Bob)
   . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas)
+  . Fixed bug #67249 (printf out-of-bounds read). (Stas)
   . Fixed bug #67250 (iptcparse out-of-bounds read). (Stas)
   . Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas)
 

ext/standard/formatted_print.c

@@ -376,6 +376,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
 	int alignment, currarg, adjusting, argnum, width, precision;
 	char *format, *result, padding;
 	int always_sign;
+	int format_len;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", &args, &argc) == FAILURE) {
 		return NULL;
@@ -414,11 +415,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
 	
 	convert_to_string_ex(args[format_offset]);
 	format = Z_STRVAL_PP(args[format_offset]);
+	format_len = Z_STRLEN_PP(args[format_offset]);
 	result = emalloc(size);
 
 	currarg = 1;
 
-	while (inpos<Z_STRLEN_PP(args[format_offset])) {
+	while (inpos<format_len) {
 		int expprec = 0, multiuse = 0;
 		zval *tmp;
 
@@ -473,7 +475,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
 						/* space padding, the default */
 					} else if (format[inpos] == '+') {
 						always_sign = 1;
-					} else if (format[inpos] == '\'') {
+					} else if (format[inpos] == '\'' && inpos+1<format_len) {
 						padding = format[++inpos];
 					} else {
 						PRINTF_DEBUG(("sprintf: end of modifiers\n"));

ext/standard/tests/strings/bug67249.phpt

@@ -0,0 +1,8 @@
+--TEST--
+Bug #67249 (printf out-of-bounds read)
+--FILE--
+<?php
+var_dump(sprintf("%'", "foo"));
+?>
+--EXPECT--
+string(0) ""