php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60965 Buffer overflow on htmlspecialchars/entities with $double=false
Submitted: 2012-02-03 10:48 UTC Modified: 2012-04-13 21:42 UTC
Votes:16
Avg. Score:3.9 ± 1.0
Reproduced:5 of 10 (50.0%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: khalid at istartus dot com Assigned: cataphract
Status: Closed Package: Reproducible crash
PHP Version: 5.4SVN-2012-02-03 (SVN) OS: Any
Private report: No CVE-ID:
 [2012-02-03 10:48 UTC] khalid at istartus dot com
Description:
------------
Long entities can cause a buffer overflow because the loop only guarantees 40 bytes available in beginning.

Test script:
---------------
<?php
echo htmlspecialchars('"""""""""""""""""""""""""""""""""""""""""""""&#x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005;',
ENT_QUOTES, 'UTF-8', false), "\n";


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-03 10:50 UTC] cataphract@php.net
-Status: Open +Status: Critical -Assigned To: +Assigned To: cataphract
 [2012-02-03 17:03 UTC] rasmus@php.net
This is 5.4-only?
 [2012-02-03 18:36 UTC] cataphract@php.net
Yes, it is trunk/5.4 only.
 [2012-02-04 18:12 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323056
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with
  $double=false).
- Removed unused variable.
- Given maxlen the usual meaning of *len variables (terminator not included).
- Changed some comments.
 [2012-02-05 09:59 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323074
Log: - Merge r323056 (see bug #60965).
 [2012-02-05 10:04 UTC] cataphract@php.net
-Status: Critical +Status: Closed
 [2012-02-27 09:56 UTC] khalid at istartus dot com
-: cataphract@php.net +: khalid at istartus dot com -Status: Closed +Status: Assigned
 [2012-02-27 09:56 UTC] khalid at istartus dot com
hi
 [2012-04-13 21:42 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2012-04-13 21:42 UTC] nikic@php.net
Why was this reopened?
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=122e11ef6e5af5eb5e940b08bb018fd0d03a34d2
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with   $double=false). - Removed unused variable. - Given maxlen the usual meaning of *len variables (terminator not included). - Changed some comments.
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=122e11ef6e5af5eb5e940b08bb018fd0d03a34d2
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with   $double=false). - Removed unused variable. - Given maxlen the usual meaning of *len variables (terminator not included). - Changed some comments.
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=122e11ef6e5af5eb5e940b08bb018fd0d03a34d2
Log: - Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with   $double=false). - Removed unused variable. - Given maxlen the usual meaning of *len variables (terminator not included). - Changed some comments.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC