From: cataphract Operating system: Any PHP version: 5.4SVN-2012-02-03 (SVN) Package: Reproducible crash Bug Type: Bug Bug description:Buffer overflow on htmlspecialchars/entities with $double=false
Description: ------------ Long entities can cause a buffer overflow because the loop only guarantees 40 bytes available in beginning. Test script: --------------- <?php echo htmlspecialchars('"""""""""""""""""""""""""""""""""""""""""""""', ENT_QUOTES, 'UTF-8', false), "\n"; -- Edit bug report at https://bugs.php.net/bug.php?id=60965&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60965&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60965&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60965&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60965&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60965&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60965&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60965&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60965&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60965&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60965&r=support Expected behavior: https://bugs.php.net/fix.php?id=60965&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60965&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60965&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60965&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60965&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60965&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60965&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60965&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60965&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60965&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60965&r=mysqlcfg