php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-07 16:13:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve validation of argnum, width and precision.

Browse Source
This commit is contained in:
Ilia Alshanetsky
2007-01-13 16:31:17 +00:00
parent 8815fdf5e0
commit f7d1d3ef44
1 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
ext/standard/formatted_print.c
View File

@@ -308,7 +308,7 @@ php_sprintf_append2n(char **buffer, int *pos, int *size, long number,
}
inline static long
inline static int
php_sprintf_getnumber(char *buffer, int *pos)
{
char *endptr;
@@ -320,7 +320,12 @@ php_sprintf_getnumber(char *buffer, int *pos)
}
PRINTF_DEBUG(("sprintf_getnumber: number was %d bytes long\n", i));
*pos += i;
return num;
if (num >= INT_MAX || num < 0) {
return -1;
} else {
return (int) num;
}
}
/* {{{ php_formatted_print
@@ -352,10 +357,9 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
{
zval ***args, **z_format;
int argc, size = 240, inpos = 0, outpos = 0, temppos;
int alignment, currarg, adjusting;
int alignment, currarg, adjusting, argnum, width, precision;
char *format, *result, padding;
int always_sign;
long argnum, width, precision;
argc = ZEND_NUM_ARGS();
@@ -429,10 +433,10 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
if (format[temppos] == '$') {
argnum = php_sprintf_getnumber(format, &inpos);
if (argnum == 0) {
if (argnum <= 0) {
efree(result);
efree(args);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zero is not a valid argument number");
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument number must be greater then zero.");
return NULL;
}
@@ -471,7 +475,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
/* after modifiers comes width */
if (isdigit((int)format[inpos])) {
PRINTF_DEBUG(("sprintf: getting width\n"));
width = php_sprintf_getnumber(format, &inpos);
if ((width = php_sprintf_getnumber(format, &inpos)) < 0) {
efree(result);
efree(args);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Width must be greater then zero and less then %d.", INT_MAX);
return NULL;
}
adjusting |= ADJ_WIDTH;
} else {
width = 0;
@@ -483,7 +492,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC
inpos++;
PRINTF_DEBUG(("sprintf: getting precision\n"));
if (isdigit((int)format[inpos])) {
precision = php_sprintf_getnumber(format, &inpos);
if ((precision = php_sprintf_getnumber(format, &inpos)) < 0) {
efree(result);
efree(args);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Precision must be greater then zero and less then %d.", INT_MAX);
return NULL;
}
adjusting |= ADJ_PRECISION;
expprec = 1;
} else {