1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
$NetBSD: patch-aw,v 1.1 2006/08/10 05:57:09 taca Exp $
# Fix for Secunia Advisory SA21403
--- ext/standard/scanf.c.orig 2006-01-01 21:50:15.000000000 +0900
+++ ext/standard/scanf.c
@@ -732,7 +732,7 @@ PHPAPI int php_sscanf_internal( char *st
if (*end == '$') {
format = end+1;
ch = format++;
- objIndex = varStart + value;
+ objIndex = varStart + value - 1;
}
}
@@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal( char *st
switch (*ch) {
case 'n':
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
zend_uint refcount;
current = args[objIndex++];
@@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal( char *st
}
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
zend_uint refcount;
current = args[objIndex++];
@@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal( char *st
goto done;
}
if (!(flags & SCAN_SUPPRESS)) {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
zval_dtor( *current );
ZVAL_STRINGL( *current, string, end-string, 1);
@@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal( char *st
value = (int) (*fn)(buf, NULL, base);
if ((flags & SCAN_UNSIGNED) && (value < 0)) {
sprintf(buf, "%u", value); /* INTL: ISO digit */
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
/* change passed value type to string */
current = args[objIndex++];
convert_to_string( *current );
@@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal( char *st
add_index_string(*return_value, objIndex++, buf, 1);
}
} else {
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_long( *current );
Z_LVAL(**current) = value;
@@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal( char *st
double dvalue;
*end = '\0';
dvalue = zend_strtod(buf, NULL);
- if (numVars) {
+ if (numVars && objIndex >= argCount) {
+ break;
+ } else if (numVars) {
current = args[objIndex++];
convert_to_double( *current );
Z_DVAL_PP( current ) = dvalue;
|
