printf: Report error if missing padding character

Author: nikic

ext/standard/formatted_print.c

@@ -470,10 +470,16 @@ php_formatted_print(char *format, size_t format_len, zval *args, int argc, int n
 						/* space padding, the default */
 					} else if (*format == '+') {
 						always_sign = 1;
-					} else if (*format == '\'' && format_len > 1) {
-						format++;
-						format_len--;
-						padding = *format;
+					} else if (*format == '\'') {
+						if (format_len > 1) {
+							format++;
+							format_len--;
+							padding = *format;
+						} else {
+							zend_value_error("Missing padding character");
+							zend_string_efree(result);
+							return NULL;
+						}
 					} else {
 						PRINTF_DEBUG(("sprintf: end of modifiers\n"));
 						break;

ext/standard/tests/strings/bug67249.phpt

@@ -2,7 +2,11 @@
 Bug #67249 (printf out-of-bounds read)
 --FILE--
 <?php
-var_dump(sprintf("%'", "foo"));
+try {
+    var_dump(sprintf("%'", "foo"));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
-string(0) ""
+Missing padding character