Index: ext/standard/scanf.c
===================================================================
RCS file: /repository/php-src/ext/standard/scanf.c,v
retrieving revision 1.31.2.2
diff -u -p -d -r1.31.2.2 scanf.c
--- ext/standard/scanf.c	1 Jan 2006 12:50:15 -0000	1.31.2.2
+++ ext/standard/scanf.c	4 Aug 2006 09:26:55 -0000
@@ -762,7 +762,9 @@ PHPAPI int php_sscanf_internal(	char *st
 		switch (*ch) {
 			case 'n':
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						zend_uint refcount;
 
 						current = args[objIndex++];
@@ -888,7 +890,9 @@ PHPAPI int php_sscanf_internal(	char *st
 					}
 				}
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						zend_uint refcount;
 
 						current = args[objIndex++];
@@ -932,7 +936,9 @@ PHPAPI int php_sscanf_internal(	char *st
 					goto done;
 				}
 				if (!(flags & SCAN_SUPPRESS)) {
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						current = args[objIndex++];
 						zval_dtor( *current );
 						ZVAL_STRINGL( *current, string, end-string, 1);
@@ -1089,7 +1095,9 @@ PHPAPI int php_sscanf_internal(	char *st
 					value = (int) (*fn)(buf, NULL, base);
 					if ((flags & SCAN_UNSIGNED) && (value < 0)) {
 						sprintf(buf, "%u", value); /* INTL: ISO digit */
-						if (numVars) {
+						if (numVars && objIndex >= argCount) {
+							break;
+						} else if (numVars) {
 						  /* change passed value type to string */
 						   current = args[objIndex++];
 						   convert_to_string( *current );
@@ -1098,7 +1106,9 @@ PHPAPI int php_sscanf_internal(	char *st
 							add_index_string(*return_value, objIndex++, buf, 1);
 						}
 					} else {
-						if (numVars) {
+						if (numVars && objIndex >= argCount) {
+							break;
+						} else if (numVars) {
 							current = args[objIndex++];
 							convert_to_long( *current );
 							Z_LVAL(**current) = value;
@@ -1206,7 +1216,9 @@ PHPAPI int php_sscanf_internal(	char *st
 					double dvalue;
 					*end = '\0';
 					dvalue = zend_strtod(buf, NULL);
-					if (numVars) {
+					if (numVars && objIndex >= argCount) {
+						break;
+					} else if (numVars) {
 						current = args[objIndex++];
 						convert_to_double( *current );
 						Z_DVAL_PP( current ) = dvalue;