File php-4.3.9-CVE-2006-4020.patch of Package php4

--- php-4.3.9/ext/standard/scanf.c.cve4020
+++ php-4.3.9/ext/standard/scanf.c
@@ -731,7 +731,7 @@
                 if (*end == '$') {
                     format = end+1;
                     ch = format++;
-                    objIndex = varStart + value;
+                    objIndex = varStart + value - 1;
                 }
          }
 
@@ -761,8 +761,10 @@
         switch (*ch) {
             case 'n':
                 if (!(flags & SCAN_SUPPRESS)) {
-                    if (numVars) {
-						current = args[objIndex++];
+                    if (numVars && objIndex >= argCount) {
+                        break;
+                    } else if (numVars) {
+                        current = args[objIndex++];
                         zval_dtor( *current );
                         ZVAL_LONG( *current, (long)(string - baseString) );
                     } else {
@@ -882,8 +884,10 @@
                 }
             }
             if (!(flags & SCAN_SUPPRESS)) {
-                if (numVars) {
-                    current = args[objIndex++];
+                if (numVars && objIndex >= argCount) {
+                    break;
+                } else if (numVars) {
+					current = args[objIndex++];
 					zval_dtor( *current );
 					ZVAL_STRINGL( *current, string, end-string, 1);
                 } else {
@@ -921,7 +925,9 @@
                 goto done;
             }
             if (!(flags & SCAN_SUPPRESS)) {
-                if (numVars) {
+                if (numVars && objIndex >= argCount) {
+                    break;
+                } else if (numVars) {
                     current = args[objIndex++];
                     zval_dtor( *current );
                     ZVAL_STRINGL( *current, string, end-string, 1);
@@ -1078,8 +1084,10 @@
 		    value = (int) (*fn)(buf, NULL, base);
 		    if ((flags & SCAN_UNSIGNED) && (value < 0)) {
                 sprintf(buf, "%u", value); /* INTL: ISO digit */
-                if (numVars) {
-                  /* change passed value type to string */
+                if (numVars && objIndex >= argCount) {
+                   break;
+                } else if (numVars) {
+                   /* change passed value type to string */
                    current = args[objIndex++];
                    convert_to_string( *current );
                    ZVAL_STRING( *current, buf, 1 );
@@ -1087,7 +1095,9 @@
                     add_index_string(*return_value, objIndex++, buf, 1);
                 }
             } else {
-                if (numVars) {
+                if (numVars && objIndex >= argCount) {
+                    break;
+                } else if (numVars) {
                     current = args[objIndex++];
                     convert_to_long( *current );
                     Z_LVAL(**current) = value;
@@ -1195,7 +1205,9 @@
 		    double dvalue;
 		    *end = '\0';
 		    dvalue = strtod(buf, NULL);
-            if (numVars) {
+            if (numVars && objIndex >= argCount) {
+                break;
+            } else if (numVars) {
                 current = args[objIndex++];
                 convert_to_double( *current );
                 Z_DVAL_PP( current ) = dvalue;