php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60965 Buffer overflow on htmlspecialchars/entities with $double=false
Submitted: 2012-02-03 10:48 UTC Modified: 2012-04-13 21:42 UTC
Votes:16
Avg. Score:3.9 ± 1.0
Reproduced:5 of 10 (50.0%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: khalid at istartus dot com Assigned: cataphract (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.4SVN-2012-02-03 (SVN) OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: khalid at istartus dot com
New email:
PHP Version: OS:

 

 [2012-02-03 10:48 UTC] khalid at istartus dot com 
Description:
------------
Long entities can cause a buffer overflow because the loop only guarantees 40 bytes available in beginning.

Test script:
---------------
<?php
echo htmlspecialchars('"""""""""""""""""""""""""""""""""""""""""""""&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005;',
ENT_QUOTES, 'UTF-8', false), "\n";

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-03 10:50 UTC] cataphract@php.net
-Status: Open +Status: Critical -Assigned To: +Assigned To: cataphract
 [2012-02-03 17:03 UTC] rasmus@php.net 
This is 5.4-only?
 [2012-02-03 18:36 UTC] cataphract@php.net 
Yes, it is trunk/5.4 only.
 [2012-02-04 18:12 UTC] cataphract@php.net 
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323056
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with
  $double=false).
- Removed unused variable.
- Given maxlen the usual meaning of *len variables (terminator not included).
- Changed some comments.
 [2012-02-05 09:59 UTC] cataphract@php.net 
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323074
Log: - Merge r323056 (see bug #60965).
 [2012-02-05 10:04 UTC] cataphract@php.net
-Status: Critical +Status: Closed
 [2012-02-27 09:56 UTC] khalid at istartus dot com
-: cataphract@php.net +: khalid at istartus dot com -Status: Closed +Status: Assigned
 [2012-02-27 09:56 UTC] khalid at istartus dot com 
hi
 [2012-04-13 21:42 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2012-04-13 21:42 UTC] nikic@php.net 
Why was this reopened?
 [2012-04-18 09:46 UTC] laruence@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=122e11ef6e5af5eb5e940b08bb018fd0d03a34d2
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with   $double=false). - Removed unused variable. - Given maxlen the usual meaning of *len variables (terminator not included). - Changed some comments.
 [2012-07-24 23:37 UTC] rasmus@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=122e11ef6e5af5eb5e940b08bb018fd0d03a34d2
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with   $double=false). - Removed unused variable. - Given maxlen the usual meaning of *len variables (terminator not included). - Changed some comments.
 [2013-11-17 09:34 UTC] laruence@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=122e11ef6e5af5eb5e940b08bb018fd0d03a34d2
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with   $double=false). - Removed unused variable. - Given maxlen the usual meaning of *len variables (terminator not included). - Changed some comments.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 30 10:01:30 2025 UTC