Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php4
:
4.4.9
>
php4
> php-4.3.9-CVE-2006-4020.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-4.3.9-CVE-2006-4020.patch of Package php4
--- php-4.3.9/ext/standard/scanf.c.cve4020 +++ php-4.3.9/ext/standard/scanf.c @@ -731,7 +731,7 @@ if (*end == '$') { format = end+1; ch = format++; - objIndex = varStart + value; + objIndex = varStart + value - 1; } } @@ -761,8 +761,10 @@ switch (*ch) { case 'n': if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { - current = args[objIndex++]; + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { + current = args[objIndex++]; zval_dtor( *current ); ZVAL_LONG( *current, (long)(string - baseString) ); } else { @@ -882,8 +884,10 @@ } } if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { - current = args[objIndex++]; + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { + current = args[objIndex++]; zval_dtor( *current ); ZVAL_STRINGL( *current, string, end-string, 1); } else { @@ -921,7 +925,9 @@ goto done; } if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; zval_dtor( *current ); ZVAL_STRINGL( *current, string, end-string, 1); @@ -1078,8 +1084,10 @@ value = (int) (*fn)(buf, NULL, base); if ((flags & SCAN_UNSIGNED) && (value < 0)) { sprintf(buf, "%u", value); /* INTL: ISO digit */ - if (numVars) { - /* change passed value type to string */ + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { + /* change passed value type to string */ current = args[objIndex++]; convert_to_string( *current ); ZVAL_STRING( *current, buf, 1 ); @@ -1087,7 +1095,9 @@ add_index_string(*return_value, objIndex++, buf, 1); } } else { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; convert_to_long( *current ); Z_LVAL(**current) = value; @@ -1195,7 +1205,9 @@ double dvalue; *end = '\0'; dvalue = strtod(buf, NULL); - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; convert_to_double( *current ); Z_DVAL_PP( current ) = dvalue;