Report invalid printf placeholder

VincentLanglet · VincentLanglet · commit f3b0fd8dfbb2 · 2025-10-24T23:48:19.000+02:00
diff --git a/src/Rules/Functions/PrintfArrayParametersRule.php b/src/Rules/Functions/PrintfArrayParametersRule.php
@@ -66,7 +66,17 @@ public function processNode(Node $node, Scope $scope): array
 		foreach ($formatArgType->getConstantStrings() as $formatString) {
 			$format = $formatString->getValue();
 
-			$placeHoldersCounts[] = $this->printfHelper->getPrintfPlaceholdersCount($format);
+			$count = $this->printfHelper->getPrintfPlaceholdersCount($format);
+			if ($count === null) {
+				return [
+					RuleErrorBuilder::message(sprintf(
+						'Call to %s contains an invalid placeholder.',
+						$name,
+					))->identifier(sprintf('argument.%s', $name))->build(),
+				];
+			}
+
+			$placeHoldersCounts[] = $count;
 		}
 
 		if ($placeHoldersCounts === []) {
diff --git a/src/Rules/Functions/PrintfHelper.php b/src/Rules/Functions/PrintfHelper.php
@@ -24,24 +24,26 @@ public function __construct(private PhpVersion $phpVersion)
 	{
 	}
 
-	public function getPrintfPlaceholdersCount(string $format): int
+	public function getPrintfPlaceholdersCount(string $format): ?int
 	{
 		return $this->getPlaceholdersCount(self::PRINTF_SPECIFIER_PATTERN, $format);
 	}
 
 	/** @phpstan-return array<int, non-empty-list<PrintfPlaceholder>> parameter index => placeholders */
-	public function getPrintfPlaceholders(string $format): array
+	public function getPrintfPlaceholders(string $format): ?array
 	{
 		return $this->parsePlaceholders(self::PRINTF_SPECIFIER_PATTERN, $format);
 	}
 
-	public function getScanfPlaceholdersCount(string $format): int
+	public function getScanfPlaceholdersCount(string $format): ?int
 	{
 		return $this->getPlaceholdersCount('(?<specifier>[cdDeEfinosuxX%s]|\[[^\]]+\])', $format);
 	}
 
-	/** @phpstan-return array<int, non-empty-list<PrintfPlaceholder>> parameter index => placeholders */
-	private function parsePlaceholders(string $specifiersPattern, string $format): array
+	/**
+	 * @phpstan-return array<int, non-empty-list<PrintfPlaceholder>>|null parameter index => placeholders
+	 */
+	private function parsePlaceholders(string $specifiersPattern, string $format): ?array
 	{
 		$addSpecifier = '';
 		if ($this->phpVersion->supportsHhPrintfSpecifier()) {
@@ -50,7 +52,7 @@ private function parsePlaceholders(string $specifiersPattern, string $format): a
 
 		$specifiers = sprintf($specifiersPattern, $addSpecifier);
 
-		$pattern = '~(?<before>%*)%(?:(?<position>\d+)\$)?[-+]?(?:[ 0]|(?:\'[^%]))?(?<width>\*)?-?\d*(?:\.(?:\d+|(?<precision>\*))?)?' . $specifiers . '~';
+		$pattern = '~(?<before>%*)%(?:(?<position>\d+)\$)?[-+]?(?:[ 0]|(?:\'[^%]))?(?<width>\*)?-?\d*(?:\.(?:\d+|(?<precision>\*))?)?' . $specifiers . '?~';
 
 		$matches = Strings::matchAll($format, $pattern, PREG_SET_ORDER);
 
@@ -89,13 +91,19 @@ private function parsePlaceholders(string $specifiersPattern, string $format): a
 				$showValueSuffix = true;
 			}
 
+			$specifier = $placeholder['specifier'] ?? '';
+			if ($specifier === '') {
+				// A placeholder is invalid.
+				return null;
+			}
+
 			$parsedPlaceholders[] = new PrintfPlaceholder(
 				sprintf('"%s"', $placeholder[0]) . ($showValueSuffix ? ' (value)' : ''),
 				isset($placeholder['position']) && $placeholder['position'] !== ''
 					? $placeholder['position'] - 1
 					: $parameterIdx++,
 				$placeholderNumber,
-				$this->getAcceptingTypeBySpecifier($placeholder['specifier'] ?? ''),
+				$this->getAcceptingTypeBySpecifier($specifier),
 			);
 		}
 
@@ -124,9 +132,14 @@ private function getAcceptingTypeBySpecifier(string $specifier): string
 		return 'mixed';
 	}
 
-	private function getPlaceholdersCount(string $specifiersPattern, string $format): int
+	private function getPlaceholdersCount(string $specifiersPattern, string $format): ?int
 	{
-		$paramIndices = array_keys($this->parsePlaceholders($specifiersPattern, $format));
+		$placeholdersMap = $this->parsePlaceholders($specifiersPattern, $format);
+		if ($placeholdersMap === null) {
+			return null;
+		}
+
+		$paramIndices = array_keys($placeholdersMap);
 
 		return $paramIndices === []
 			? 0
diff --git a/src/Rules/Functions/PrintfParameterTypeRule.php b/src/Rules/Functions/PrintfParameterTypeRule.php
@@ -92,6 +92,11 @@ public function processNode(Node $node, Scope $scope): array
 		$formatString = $formatArgTypeStrings[0];
 		$format = $formatString->getValue();
 		$placeholderMap = $this->printfHelper->getPrintfPlaceholders($format);
+		if ($placeholderMap === null) {
+			// Already reported by PrintfParametersRule.
+			return [];
+		}
+
 		$errors = [];
 		$typeAllowedByCallToFunctionParametersRule = TypeCombinator::union(
 			new StringAlwaysAcceptingObjectWithToStringType(),
diff --git a/src/Rules/Functions/PrintfParametersRule.php b/src/Rules/Functions/PrintfParametersRule.php
@@ -86,6 +86,15 @@ public function processNode(Node $node, Scope $scope): array
 				$tempPlaceHoldersCount = $this->printfHelper->getScanfPlaceholdersCount($format);
 			}
 
+			if ($tempPlaceHoldersCount === null) {
+				return [
+					RuleErrorBuilder::message(sprintf(
+						'Call to %s contains an invalid placeholder.',
+						$name,
+					))->identifier(sprintf('argument.%s', $name))->build(),
+				];
+			}
+
 			if ($maxPlaceHoldersCount === null) {
 				$maxPlaceHoldersCount = $tempPlaceHoldersCount;
 			} elseif ($tempPlaceHoldersCount > $maxPlaceHoldersCount) {
diff --git a/tests/PHPStan/Rules/Functions/PrintfArrayParametersRuleTest.php b/tests/PHPStan/Rules/Functions/PrintfArrayParametersRuleTest.php
@@ -71,4 +71,18 @@ public function testFile(): void
 		]);
 	}
 
+	public function testBug1889(): void
+	{
+		$this->analyse([__DIR__ . '/data/bug-1889.php'], [
+			[
+				'Call to vsprintf contains an invalid placeholder.',
+				7,
+			],
+			[
+				'Call to vsprintf contains an invalid placeholder.',
+				9,
+			],
+		]);
+	}
+
 }
diff --git a/tests/PHPStan/Rules/Functions/PrintfParametersRuleTest.php b/tests/PHPStan/Rules/Functions/PrintfParametersRuleTest.php
@@ -123,4 +123,18 @@ public function testBug2342(): void
 		]);
 	}
 
+	public function testBug1889(): void
+	{
+		$this->analyse([__DIR__ . '/data/bug-1889.php'], [
+			[
+				'Call to printf contains an invalid placeholder.',
+				3,
+			],
+			[
+				'Call to printf contains an invalid placeholder.',
+				5,
+			],
+		]);
+	}
+
 }
diff --git a/tests/PHPStan/Rules/Functions/data/bug-1889.php b/tests/PHPStan/Rules/Functions/data/bug-1889.php
@@ -0,0 +1,9 @@
+<?php
+
+printf('%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%', 71, 73, 70, 56, 57, 97, 1, 0, 1, 0, 128, 255, 0, 192, 192, 192, 0, 0, 0, 33, 249, 4, 1, 0, 0, 0, 0, 44, 0, 0, 0, 0, 1, 0, 1, 0, 0, 2, 2, 68, 1, 0, 59);
+
+printf('%c%c%c%', 71, 73, 70, 80);
+
+vsprintf('%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%', [71, 73, 70, 56, 57, 97, 1, 0, 1, 0, 128, 255, 0, 192, 192, 192, 0, 0, 0, 33, 249, 4, 1, 0, 0, 0, 0, 44, 0, 0, 0, 0, 1, 0, 1, 0, 0, 2, 2, 68, 1, 0, 59]);
+
+vsprintf('%c%c%c%', [71, 73, 70, 80]);
diff --git a/tests/PHPStan/Rules/Functions/data/printf.php b/tests/PHPStan/Rules/Functions/data/printf.php
@@ -6,10 +6,10 @@
 sprintf('%s %s', 'foo'); // one parameter missing
 sprintf('foo', 'foo'); // one parameter over
 sprintf('foo %s', 'foo', 'bar'); // one parameter over
-sprintf('%2$s %1$s %% %1$s %%%', 'one'); // one parameter missing
+sprintf('%2$s %1$s %% %1$s %%', 'one'); // one parameter missing
 sprintf('%2$s %%'); // two parameters required
 sprintf('%2$s %1$s %1$s %s %s %s %s'); // four parameters required
-sprintf('%2$s %1$s %% %s %s %s %s %%% %%%%', 'one', 'two', 'three', 'four'); // ok
+sprintf('%2$s %1$s %% %s %s %s %s %% %%%%', 'one', 'two', 'three', 'four'); // ok
 sprintf("%'.9d %1$'.9d %0.3f %d %d %d", 123, 456);
 sprintf('%-4s', 'foo'); // ok
 sprintf('%%s %s', 'foo', 'bar'); // one parameter over
diff --git a/tests/PHPStan/Rules/Functions/data/vprintf.php b/tests/PHPStan/Rules/Functions/data/vprintf.php
@@ -10,11 +10,11 @@ function doFoo($message, array $arr) {
 	vsprintf('%s %s', ['foo']); // one parameter missing
 	vsprintf('foo', ['foo']); // one parameter over
 	vsprintf('foo %s', ['foo', 'bar']); // one parameter over
-	vsprintf('%2$s %1$s %% %1$s %%%', ['one']); // one parameter missing
+	vsprintf('%2$s %1$s %% %1$s %%', ['one']); // one parameter missing
 	vsprintf('%2$s %%'); // two parameters required
 	vsprintf('%2$s %%', []); // two parameters required
 	vsprintf('%2$s %1$s %1$s %s %s %s %s'); // four parameters required
-	vsprintf('%2$s %1$s %% %s %s %s %s %%% %%%%', ['one', 'two', 'three', 'four']); // ok
+	vsprintf('%2$s %1$s %% %s %s %s %s %% %%%%', ['one', 'two', 'three', 'four']); // ok
 	vsprintf("%'.9d %1$'.9d %0.3f %d %d %d", [123, 456]); // five parameters required
 
 	vsprintf('%-4s', ['foo']); // ok

Original file line number	Diff line number	Diff line change
`@@ -24,24 +24,26 @@ public function __construct(private PhpVersion $phpVersion)`
`24`	`24`	`{`
`25`	`25`	`}`
`26`	`26`
`27`		`- public function getPrintfPlaceholdersCount(string $format): int`
	`27`	`+ public function getPrintfPlaceholdersCount(string $format): ?int`
`28`	`28`	`{`
`29`	`29`	`return $this->getPlaceholdersCount(self::PRINTF_SPECIFIER_PATTERN, $format);`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`/** @phpstan-return array<int, non-empty-list<PrintfPlaceholder>> parameter index => placeholders */`
`33`		`- public function getPrintfPlaceholders(string $format): array`
	`33`	`+ public function getPrintfPlaceholders(string $format): ?array`
`34`	`34`	`{`
`35`	`35`	`return $this->parsePlaceholders(self::PRINTF_SPECIFIER_PATTERN, $format);`
`36`	`36`	`}`
`37`	`37`
`38`		`- public function getScanfPlaceholdersCount(string $format): int`
	`38`	`+ public function getScanfPlaceholdersCount(string $format): ?int`
`39`	`39`	`{`
`40`	`40`	`return $this->getPlaceholdersCount('(?<specifier>[cdDeEfinosuxX%s]\|\[[^\]]+\])', $format);`
`41`	`41`	`}`
`42`	`42`
`43`		`- /** @phpstan-return array<int, non-empty-list<PrintfPlaceholder>> parameter index => placeholders */`
`44`		`- private function parsePlaceholders(string $specifiersPattern, string $format): array`
	`43`	`+ /**`
	`44`	`+ * @phpstan-return array<int, non-empty-list<PrintfPlaceholder>>\|null parameter index => placeholders`
	`45`	`+ */`
	`46`	`+ private function parsePlaceholders(string $specifiersPattern, string $format): ?array`
`45`	`47`	`{`
`46`	`48`	`$addSpecifier = '';`
`47`	`49`	`if ($this->phpVersion->supportsHhPrintfSpecifier()) {`
`@@ -50,7 +52,7 @@ private function parsePlaceholders(string $specifiersPattern, string $format): a`
`50`	`52`
`51`	`53`	`$specifiers = sprintf($specifiersPattern, $addSpecifier);`
`52`	`54`
`53`		`- $pattern = '~(?<before>%)%(?:(?<position>\d+)\$)?[-+]?(?:[ 0]\|(?:\'[^%]))?(?<width>\)?-?\d(?:\.(?:\d+\|(?<precision>\))?)?' . $specifiers . '~';`
	`55`	`+ $pattern = '~(?<before>%)%(?:(?<position>\d+)\$)?[-+]?(?:[ 0]\|(?:\'[^%]))?(?<width>\)?-?\d(?:\.(?:\d+\|(?<precision>\))?)?' . $specifiers . '?~';`
`54`	`56`
`55`	`57`	`$matches = Strings::matchAll($format, $pattern, PREG_SET_ORDER);`
`56`	`58`
`@@ -89,13 +91,19 @@ private function parsePlaceholders(string $specifiersPattern, string $format): a`
`89`	`91`	`$showValueSuffix = true;`
`90`	`92`	`}`
`91`	`93`
	`94`	`+ $specifier = $placeholder['specifier'] ?? '';`
	`95`	`+ if ($specifier === '') {`
	`96`	`+ // A placeholder is invalid.`
	`97`	`+ return null;`
	`98`	`+ }`
	`99`	`+`
`92`	`100`	`$parsedPlaceholders[] = new PrintfPlaceholder(`
`93`	`101`	`sprintf('"%s"', $placeholder[0]) . ($showValueSuffix ? ' (value)' : ''),`
`94`	`102`	`isset($placeholder['position']) && $placeholder['position'] !== ''`
`95`	`103`	`? $placeholder['position'] - 1`
`96`	`104`	`: $parameterIdx++,`
`97`	`105`	`$placeholderNumber,`
`98`		`- $this->getAcceptingTypeBySpecifier($placeholder['specifier'] ?? ''),`
	`106`	`+ $this->getAcceptingTypeBySpecifier($specifier),`
`99`	`107`	`);`
`100`	`108`	`}`
`101`	`109`
`@@ -124,9 +132,14 @@ private function getAcceptingTypeBySpecifier(string $specifier): string`
`124`	`132`	`return 'mixed';`
`125`	`133`	`}`
`126`	`134`
`127`		`- private function getPlaceholdersCount(string $specifiersPattern, string $format): int`
	`135`	`+ private function getPlaceholdersCount(string $specifiersPattern, string $format): ?int`
`128`	`136`	`{`
`129`		`- $paramIndices = array_keys($this->parsePlaceholders($specifiersPattern, $format));`
	`137`	`+ $placeholdersMap = $this->parsePlaceholders($specifiersPattern, $format);`
	`138`	`+ if ($placeholdersMap === null) {`
	`139`	`+ return null;`
	`140`	`+ }`
	`141`	`+`
	`142`	`+ $paramIndices = array_keys($placeholdersMap);`
`130`	`143`
`131`	`144`	`return $paramIndices === []`
`132`	`145`	`? 0`