Home Original page

PHP :: Bug #22301 :: htmlspecialchars crashes Apache

Bug #22301 htmlspecialchars crashes Apache
Submitted: 2003-02-19 11:36 UTC Modified: 2003-02-25 12:51 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: peter at alcor dot concordia dot ca Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.3.0 OS: Tru64 Unix 5.1A
Private report: No CVE-ID: None

 [2003-02-19 11:36 UTC] peter at alcor dot concordia dot ca

This code crashes Apache on Tru64 Unix version 5.1A: 
 
<?php 
 
echo htmlspecialchars("That crashes Apache", ENT_QUOTES, 
"ISO-8859-1"); 
 
?> 
 
(dbx) run -X -f /pubmail/apache/conf/httpd.conf 
Unaligned access pid=148971 <httpd> va=0x14009ff7c 
pc=0x1200f6c08 ra=0x120111e90 inst=0xb4290000 
Unaligned access pid=148971 <httpd> va=0x14009ff7c 
pc=0x1200f6c08 ra=0x120111e90 inst=0xb4290000 
Unaligned access pid=148971 <httpd> va=0x11fff965c 
pc=0x1201164c0 ra=0x120116e8c inst=0xb42d0000 
signal Segmentation fault at   [get_next_char:6 
+0xfdc,0x12018a7ec] 
(dbx) 
 
I suspect it's 64-bit cleanness-related.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2003-02-19 15:29 UTC] peter at alcor dot concordia dot ca

If htmlspecialchars called with three parameters, 
zend_parse_parameters (inside php_html_entities function) 
doesn't properly initialize str pointer.

 [2003-02-25 12:04 UTC] peter at alcor dot concordia dot ca

Surprisingly this fixes the problem:

--- html.c.original     2002-12-12 09:52:09.000000000 -0500
+++ html.c      2003-02-25 13:01:05.000000000 -0500
@@ -827,7 +827,8 @@
 {
        char *str, *hint_charset = NULL;
        int str_len, hint_charset_len = 0;
-       int len, quote_style = ENT_COMPAT;
+       int len; 
+       long quote_style = ENT_COMPAT;
        char *replaced;
 
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ls", &str, &str_len,

 [2003-02-25 12:08 UTC] peter at alcor dot concordia dot ca

the previous diff is for ext/standard/html.c, just in case

 [2003-02-25 12:51 UTC] moriyoshi@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

The fix will be in 4.3.2