php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22301 htmlspecialchars crashes Apache
Submitted: 2003-02-19 11:36 UTC Modified: 2003-02-25 12:51 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: peter at alcor dot concordia dot ca Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.0 OS: Tru64 Unix 5.1A
Private report: No CVE-ID:
 [2003-02-19 11:36 UTC] peter at alcor dot concordia dot ca
This code crashes Apache on Tru64 Unix version 5.1A: 
 
<?php 
 
echo htmlspecialchars("That crashes Apache", ENT_QUOTES, 
"ISO-8859-1"); 
 
?> 
 
(dbx) run -X -f /pubmail/apache/conf/httpd.conf 
Unaligned access pid=148971 <httpd> va=0x14009ff7c 
pc=0x1200f6c08 ra=0x120111e90 inst=0xb4290000 
Unaligned access pid=148971 <httpd> va=0x14009ff7c 
pc=0x1200f6c08 ra=0x120111e90 inst=0xb4290000 
Unaligned access pid=148971 <httpd> va=0x11fff965c 
pc=0x1201164c0 ra=0x120116e8c inst=0xb42d0000 
signal Segmentation fault at   [get_next_char:6 
+0xfdc,0x12018a7ec] 
(dbx) 
 
I suspect it's 64-bit cleanness-related. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-02-19 15:29 UTC] peter at alcor dot concordia dot ca
If htmlspecialchars called with three parameters, 
zend_parse_parameters (inside php_html_entities function) 
doesn't properly initialize str pointer.
 [2003-02-23 23:21 UTC] moriyoshi@php.net
Could you provide us a backtrace so we can have a better insight into this issue?

If you are unsure how to generate a backtrace, see
http://bugs.php.net/bugs-generating-backtrace.php

Thanks for your cooperation.
 [2003-02-25 12:04 UTC] peter at alcor dot concordia dot ca
Surprisingly this fixes the problem:

--- html.c.original     2002-12-12 09:52:09.000000000 -0500
+++ html.c      2003-02-25 13:01:05.000000000 -0500
@@ -827,7 +827,8 @@
 {
        char *str, *hint_charset = NULL;
        int str_len, hint_charset_len = 0;
-       int len, quote_style = ENT_COMPAT;
+       int len; 
+       long quote_style = ENT_COMPAT;
        char *replaced;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len,
 [2003-02-25 12:08 UTC] peter at alcor dot concordia dot ca
the previous diff is for ext/standard/html.c, just in case
 [2003-02-25 12:51 UTC] moriyoshi@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

The fix will be in 4.3.2

 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC