If we pass a binary string which contains a byte with
an ASCII value of "0" to urlencode, then PHP will segfault.

This short script will demonstrate the problem.  Notice
that I am using urldecode because I have no way
of printing an ascii value of 0.

<?
$initString = "%00an%3E";
$binaryString = urldecode($initString);
$encodedString = urlencode($binaryString);
?>

I believe the problem is in file ../ext/standard/url.c
and in function php_url_encode().  This function uses
allocates memory for the new string after determining
the length of the input string via strlen(). However, a 
binary string could contain a byte with a value of zero, 
thereby yielding a shorter string length and not enough
memory allocated.

I'll also include a suggested patch below.

--- ext/standard/url.c.orig     Mon Sep 24 02:53:54 2001
+++ ext/standard/url.c  Mon Sep 24 02:53:38 2001
@@ -239,7 +239,7 @@
 {
        register int x, y;
        unsigned char *str;
-       str = (unsigned char *) emalloc(3 * strlen(s) + 1);
+       str = (unsigned char *) emalloc(3 * len + 1);
        for (x = 0, y = 0; len--; x++, y++) {
                str[y] = (unsigned char) s[x];
                if (str[y] == ' ') {





P.S. Thanks for working on PHP, it's a fantastic language
and I appreciate your effort.

-Manuel