Truncate sscanf/fscanf format string at NUL byte before counting placeholders

src/Rules/Functions/PrintfHelper.php

@@ -12,6 +12,7 @@
 use function max;
 use function sprintf;
 use function strlen;
+use function strstr;
 use const PREG_SET_ORDER;
 
 #[AutowiredService]
@@ -45,6 +46,13 @@ public function getScanfPlaceholdersCount(string $format): ?int
 	 */
 	private function parsePlaceholders(string $specifiersPattern, string $format, bool $isScanf): ?array
 	{
+		if ($isScanf) {
+			$beforeNul = strstr($format, "\0", true);
+			if ($beforeNul !== false) {
+				$format = $beforeNul;
+			}
+		}
+
 		$addSpecifier = '';
 		if ($this->phpVersion->supportsHhPrintfSpecifier()) {
 			$addSpecifier .= 'hH';

src/Type/Php/SscanfFunctionDynamicReturnTypeExtension.php

@@ -21,6 +21,7 @@
 use function count;
 use function in_array;
 use function preg_match_all;
+use function strstr;
 
 #[AutowiredService]
 final class SscanfFunctionDynamicReturnTypeExtension implements DynamicFunctionReturnTypeExtension
@@ -48,9 +49,15 @@ public function getTypeFromFunctionCall(
 			return null;
 		}
 
-		if (preg_match_all('/%(\d*)(\[[^\]]+\]|[cdeEfosux]{1})/', $formatType->getValue(), $matches) > 0) {
-			$arrayBuilder = ConstantArrayTypeBuilder::createEmpty();
+		$formatValue = $formatType->getValue();
+		$beforeNul = strstr($formatValue, "\0", true);
+		if ($beforeNul !== false) {
+			$formatValue = $beforeNul;
+		}
+
+		$arrayBuilder = ConstantArrayTypeBuilder::createEmpty();
 
+		if (preg_match_all('/%(\d*)(\[[^\]]+\]|[cdeEfosux]{1})/', $formatValue, $matches) > 0) {
 			for ($i = 0; $i < count($matches[0]); $i++) {
 				$length = $matches[1][$i];
 				$specifier = $matches[2][$i];
@@ -81,11 +88,9 @@ public function getTypeFromFunctionCall(
 				$type = TypeCombinator::addNull($type);
 				$arrayBuilder->setOffsetValueType(new ConstantIntegerType($i), $type);
 			}
-
-			return TypeCombinator::addNull($arrayBuilder->getArray());
 		}
 
-		return null;
+		return TypeCombinator::addNull($arrayBuilder->getArray());
 	}
 
 }

tests/PHPStan/Analyser/nsrt/bug-14567.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace Bug14567;
+
+use function PHPStan\Testing\assertType;
+
+function sscanfNulTerminator(string $s) {
+	// NUL byte terminates sscanf format string - placeholders after \0 are ignored
+	assertType('array{int|null}|null', sscanf($s, "%d\0%d"));
+	assertType('array{int|null, string|null}|null', sscanf($s, "%d %s\0%d"));
+	assertType('array{}|null', sscanf($s, "\0%d%s"));
+}
+
+function fscanfNulTerminator($r) {
+	// Same for fscanf
+	assertType('array{int|null}|null', fscanf($r, "%d\0%d"));
+	assertType('array{int|null, string|null}|null', fscanf($r, "%d %s\0%d"));
+	assertType('array{}|null', fscanf($r, "\0%d%s"));
+}

tests/PHPStan/Rules/Functions/PrintfParametersRuleTest.php

@@ -147,4 +147,9 @@ public function testBug10260(): void
 		$this->analyse([__DIR__ . '/data/bug-10260.php'], []);
 	}
 
+	public function testBug14567(): void
+	{
+		$this->analyse([__DIR__ . '/data/bug-14567.php'], []);
+	}
+
 }

tests/PHPStan/Rules/Functions/data/bug-14567.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace Bug14567;
+
+// NUL byte terminates sscanf/fscanf format string parsing
+// Placeholders after \0 should not be counted
+
+// Only 1 placeholder active before NUL
+sscanf('123 456', "%d\0%d", $a);
+
+// Only 1 placeholder active before NUL (fscanf)
+fscanf(STDIN, "%d\0%d", $a2);
+
+// No placeholders after NUL
+sscanf('123', "\0%d");
+
+// Multiple placeholders, NUL in middle
+sscanf('123 456 789', "%d %d\0%d", $b, $c);