PHP 5 printf Integer Overflow.

Publicated on : 1206189344
SecurityReason found an integer overflow in PHP's printf. While the severity is low, I like to speak about it and why I hardly make use of those string functions.



*printf() is as the name implies, used to format strings. Any good C programmer knows that those functions assume long strings, and where it is necessary to limit or truncate the strings before passing it to memory. Usually those functions can trigger security holes in the form of overflows. The reason for this is really obvious: If the data that is being passed to memory comes as user supplied data, it needs to be treated before you pass it. This means checking for data-size, data-type and data-encoding. A multi-byte character or a simple percent sign passed to string formatting functions can mess it up, because this is used as a placeholder. This isn't the only problem, because what happens if you assume a certain return value? is it NULL or FALSE or 0 or -1 or what? and what if you check this with other functions who give another return value? strict comparisons can then pose a real danger. So it basically means that any untreated user supplied data increases the security risk.



While this new find is a security problem, It is possible to protect yourself from it and also from future finds. I always advise to limit the use of string formatters unless you have absolutely no other way of formatting strings. And more important is to treat user supplied data before passing it, don't assume that PHP will solve it. Many times it will, but this time it won't.