|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72268 Integer Overflow in nl2br()
Submitted: 2016-05-26 15:53 UTC Modified: 2016-07-07 09:34 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.5.36 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:


 [2016-05-26 15:53 UTC] taoguangchen at icloud dot com
	/* in brief this inserts <br /> or <br> before matched regexp \n\r?|\r\n? */
	char		*tmp, *str;
	int		new_length;
	char		*end, *target;
	int		repl_cnt = 0;
	int		str_len;
	zend_bool	is_xhtml = 1;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &is_xhtml) == FAILURE) {
		size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);

		new_length = str_len + repl_cnt * repl_len; // ==> integer overflow
		RETURN_STRINGL(tmp, new_length, 0);


ini_set('memory_limit', -1);
$str = nl2br(str_repeat("\n", 0xffffffff/14+1));


checking new_length


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-16 04:53 UTC]
-Assigned To: +Assigned To: stas
 [2016-06-16 04:53 UTC]
See bug #72403
 [2016-06-21 06:53 UTC]
-Status: Assigned +Status: Closed
 [2016-06-21 06:53 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2016-07-06 16:03 UTC] php-e1b at deemzed dot uk
The fix for bug #72268 has not made it into the official PHP 5.5.37, PHP 5.6.23 releases as indicated by announce/in the changelogs, PHP_FUNCTION(nl2br):

        int             new_length;
 [2016-07-07 09:34 UTC]
A follow up fix is in the scope of bug #72403, see 25bd11cf271f801efa346195d540f3d8e3bcb0ef.

PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC