sprintf() (and thus usprintf, etc) is null-unsafe

Fixing a potential security flaw in sprintf() caused by string parameters
containing mid-string null values to cut off output string prematurely.

eg sprintf("[%s]", "a\0b") === "[a"

hphp/runtime/ext/ext_string.cpp

@@ -359,14 +359,16 @@ Variant f_vprintf(CStrRef format, CArrRef args) {
   return len;
 }
 Variant f_sprintf(int _argc, CStrRef format, CArrRef _argv /* = null_array */) {
-  char *output = string_printf(format.data(), format.size(), _argv, NULL);
+  int len = 0;
+  char *output = string_printf(format.data(), format.size(), _argv, &len);
   if (output == NULL) return false;
-  return String(output, AttachString);
+  return String(output, len, AttachString);
 }
 Variant f_vsprintf(CStrRef format, CArrRef args) {
-  char *output = string_printf(format.data(), format.size(), args, NULL);
+  int len = 0;
+  char *output = string_printf(format.data(), format.size(), args, &len);
   if (output == NULL) return false;
-  return String(output, AttachString);
+  return String(output, len, AttachString);
 }
 
 Variant f_sscanf(int _argc, CStrRef str, CStrRef format, CArrRef _argv /* = null_array */) {

hphp/test/slow/ext_string/ext_string.php

@@ -299,6 +299,9 @@ VS(sprintf("A%sB%dC", "test", 10), "AtestB10C");
 VS(sprintf("%010s", "1101"), "0000001101");
 VS(sprintf("%02d", "09"), "09");
 
+VS(sprintf("(%s-%s)", "foo\0bar", "bar\0foo"), "(foo\0bar-bar\0foo)");
+VS(sprintf("[%s]", "a\0b"), "[a\0b]");
+
 VS(vsprintf("A%sB%dC", array("test", 10)), "AtestB10C");
 
 VS(sscanf("SN/2350001", "SN/%d"), array(2350001));

hphp/test/slow/ext_string/ext_string.php.expect

@@ -202,3 +202,5 @@ bool(true)
 bool(true)
 bool(true)
 bool(true)
+bool(true)
+bool(true)