Fixed bug #70914 zend_throw_or_error() format string vulnerability

Author: chtg

Zend/tests/bug70914.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #70895 null ptr deref and segfault with crafted callable
+--SKIPIF--
+<?php
+if (!extension_loaded("pdo_sqlite")) {
+	die("skip pdo_sqlite required");
+}
+?>
+--FILE--
+<?php
+
+$db = new PDO('sqlite::memory:');
+$st = $db->query('SELECT 1');
+$re = $st->fetchObject('%Z');
+?>
+--EXPECTREGEX--
+Fatal error: Class '%Z' not found in .+bug70914.php on line \d+

Zend/zend_execute_API.c

@@ -220,7 +220,7 @@ static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce,
 	if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
 		zend_throw_error(exception_ce, message);
 	} else {
-		zend_error(E_ERROR, message);
+		zend_error(E_ERROR, "%s", message);
 	}
 
 	efree(message);