[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/bug28382.phpt branches/PHP_5_4/ext/openssl/tests/bug28382.phpt trunk/ext/openssl/tests/bug28382.phpt
rasmus Sun, 05 Feb 2012 09:32:20 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323070 Log: According to the reports on qa this test is failing the same way for everyone. See: http://qa.php.net/reports/viewreports.php?version=5.3.10test=%2Fext%2Fopenssl%2Ftests%2Fbug28382.phpt I'm not sure if this is due to a change in the openssl library or in the extension, so perhaps the test itself needs to change, but for now synch it with the new output and watch for failures. Bug: https://bugs.php.net/28382 (Closed) the openssl_x509_parse function does not extract the certificate extensions Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt U php/php-src/trunk/ext/openssl/tests/bug28382.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt 2012-02-05 07:47:43 UTC (rev 323069) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt 2012-02-05 09:32:20 UTC (rev 323070) @@ -20,7 +20,9 @@ [nsCertType]= string(30) SSL Client, SSL Server, S/MIME [crlDistributionPoints]= - string(51) URI:http://mobile.blue-software.ro:90/ca/crl.shtml + string(65) +Full Name: + URI:http://mobile.blue-software.ro:90/ca/crl.shtml [nsCaPolicyUrl]= string(38) http://mobile.blue-software.ro:90/pub/; Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt 2012-02-05 07:47:43 UTC (rev 323069) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt 2012-02-05 09:32:20 UTC (rev 323070) @@ -20,7 +20,9 @@ [nsCertType]= string(30) SSL Client, SSL Server, S/MIME [crlDistributionPoints]= - string(51) URI:http://mobile.blue-software.ro:90/ca/crl.shtml + string(65) +Full Name: + URI:http://mobile.blue-software.ro:90/ca/crl.shtml [nsCaPolicyUrl]= string(38) http://mobile.blue-software.ro:90/pub/; Modified: php/php-src/trunk/ext/openssl/tests/bug28382.phpt === --- php/php-src/trunk/ext/openssl/tests/bug28382.phpt 2012-02-05 07:47:43 UTC (rev 323069) +++ php/php-src/trunk/ext/openssl/tests/bug28382.phpt 2012-02-05 09:32:20 UTC (rev 323070) @@ -20,7 +20,9 @@ [nsCertType]= string(30) SSL Client, SSL Server, S/MIME [crlDistributionPoints]= - string(51) URI:http://mobile.blue-software.ro:90/ca/crl.shtml + string(65) +Full Name: + URI:http://mobile.blue-software.ro:90/ca/crl.shtml [nsCaPolicyUrl]= string(38) http://mobile.blue-software.ro:90/pub/; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/bug47828.phpt branches/PHP_5_4/ext/openssl/tests/bug47828.phpt trunk/ext/openssl/tests/bug47828.phpt
rasmus Sun, 05 Feb 2012 09:50:14 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323071 Log: Getting different hashes here. But this test isn't testing the hashes, it is just making sure we actually get a hash and don't crash. Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt U php/php-src/trunk/ext/openssl/tests/bug47828.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:32:20 UTC (rev 323070) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) @@ -36,5 +36,5 @@ echo Done; ? --EXPECT-- -string(8) 9337ed77 +string(8) %s Done Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:32:20 UTC (rev 323070) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) @@ -36,5 +36,5 @@ echo Done; ? --EXPECT-- -string(8) 9337ed77 +string(8) %s Done Modified: php/php-src/trunk/ext/openssl/tests/bug47828.phpt === --- php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:32:20 UTC (rev 323070) +++ php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) @@ -36,5 +36,5 @@ echo Done; ? --EXPECT-- -string(8) 9337ed77 +string(8) %s Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/bug47828.phpt branches/PHP_5_4/ext/openssl/tests/bug47828.phpt trunk/ext/openssl/tests/bug47828.phpt
rasmus Sun, 05 Feb 2012 09:52:41 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323072 Log: Need EXPECTF here, of course Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt U php/php-src/trunk/ext/openssl/tests/bug47828.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:52:41 UTC (rev 323072) @@ -35,6 +35,6 @@ var_dump($arr['hash']); echo Done; ? ---EXPECT-- +--EXPECTF-- string(8) %s Done Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:52:41 UTC (rev 323072) @@ -35,6 +35,6 @@ var_dump($arr['hash']); echo Done; ? ---EXPECT-- +--EXPECTF-- string(8) %s Done Modified: php/php-src/trunk/ext/openssl/tests/bug47828.phpt === --- php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) +++ php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:52:41 UTC (rev 323072) @@ -35,6 +35,6 @@ var_dump($arr['hash']); echo Done; ? ---EXPECT-- +--EXPECTF-- string(8) %s Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt trunk/ext/pdo_firebird/tests/bug_53280.phpt
mariuz Sun, 05 Feb 2012 09:58:50 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=323073
Log:
fix gcov Warning: ibase_drop_db(): lock time-out on wait transaction object
http://gcov.php.net/viewer.php?version=PHP_5_4func=testsfile=ext%2Fpdo_firebird%2Ftests%2Fbug_53280.phpt
Changed paths:
U php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt
U php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt
U php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt
Modified: php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt
===
--- php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt
2012-02-05 09:52:41 UTC (rev 323072)
+++ php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt
2012-02-05 09:58:50 UTC (rev 323073)
@@ -27,10 +27,9 @@
$rows = $stmth1-fetchAll(); // --- segfault
var_dump($rows);
-$stmt = $dbh-prepare('DELETE FROM testz');
-$stmt-execute();
-
$dbh-commit();
+unset($stmth1);
+unset($stmth2);
$dbh-exec('DROP TABLE testz');
Modified: php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt
===
--- php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt
2012-02-05 09:52:41 UTC (rev 323072)
+++ php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt
2012-02-05 09:58:50 UTC (rev 323073)
@@ -27,10 +27,9 @@
$rows = $stmth1-fetchAll(); // --- segfault
var_dump($rows);
-$stmt = $dbh-prepare('DELETE FROM testz');
-$stmt-execute();
-
$dbh-commit();
+unset($stmth1);
+unset($stmth2);
$dbh-exec('DROP TABLE testz');
Modified: php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt
===
--- php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05
09:52:41 UTC (rev 323072)
+++ php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05
09:58:50 UTC (rev 323073)
@@ -27,10 +27,9 @@
$rows = $stmth1-fetchAll(); // --- segfault
var_dump($rows);
-$stmt = $dbh-prepare('DELETE FROM testz');
-$stmt-execute();
-
$dbh-commit();
+unset($stmth1);
+unset($stmth2);
$dbh-exec('DROP TABLE testz');
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
cataphract Sun, 05 Feb 2012 09:59:33 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=323074
Log:
- Merge r323056 (see bug #60965).
Bug: https://bugs.php.net/60965 (Critical) Buffer overflow on
htmlspecialchars/entities with $double=false
Changed paths:
U php/php-src/branches/PHP_5_4/NEWS
U php/php-src/branches/PHP_5_4/ext/standard/html.c
A + php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt
(from
php/php-src/trunk/ext/standard/tests/strings/bug60965.phpt:r323056)
Modified: php/php-src/branches/PHP_5_4/NEWS
===
--- php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:58:50 UTC (rev 323073)
+++ php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:59:33 UTC (rev 323074)
@@ -1,10 +1,13 @@
PHPNEWS
|||
?? Feb 2012, PHP 5.4.0 RC 8
+- Core:
+ . Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with
+$double=false). (Gustavo)
02 Feb 2012, PHP 5.4.0 RC 7
- Core:
- . Fix bug #60895 (Possible invalid handler usage in windows random
+ . Fixed bug #60895 (Possible invalid handler usage in windows random
functions). (Pierre)
. Fixed bug #51860 (Include fails with toplevel symlink to /). (Dmitry)
. Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods.
Modified: php/php-src/branches/PHP_5_4/ext/standard/html.c
===
--- php/php-src/branches/PHP_5_4/ext/standard/html.c2012-02-05 09:58:50 UTC
(rev 323073)
+++ php/php-src/branches/PHP_5_4/ext/standard/html.c2012-02-05 09:59:33 UTC
(rev 323074)
@@ -1215,7 +1215,6 @@
size_t cursor, maxlen, len;
char *replaced;
enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
- int matches_map;
int doctype = flags ENT_HTML_DOC_TYPE_MASK;
entity_table_opt entity_table;
const enc_to_uni *to_uni_table = NULL;
@@ -1253,12 +1252,14 @@
}
}
+ /* initial estimate */
if (oldlen 64) {
maxlen = 128;
} else {
maxlen = 2 * oldlen;
}
- replaced = emalloc(maxlen);
+
+ replaced = emalloc(maxlen + 1);
len = 0;
cursor = 0;
while (cursor oldlen) {
@@ -1271,7 +1272,7 @@
/* guarantee we have at least 40 bytes to write.
* In HTML5, entities may take up to 33 bytes */
if (len + 40 maxlen) {
- replaced = erealloc(replaced, maxlen += 128);
+ replaced = erealloc(replaced, (maxlen += 128) + 1);
}
if (status == FAILURE) {
@@ -1291,7 +1292,6 @@
mbsequence = old[cursor_before];
mbseqlen = cursor - cursor_before;
}
- matches_map = 0;
if (this_char != '') { /* no entity on this position */
const unsigned char *rep= NULL;
@@ -1302,12 +1302,15 @@
goto pass_char_through;
if (all) { /* false that
CHARSET_PARTIAL_SUPPORT(charset) */
- /* look for entity for this char */
if (to_uni_table != NULL) {
+ /* !CHARSET_UNICODE_COMPAT therefore
not UTF-8; since UTF-8
+* is the only multibyte encoding with
!CHARSET_PARTIAL_SUPPORT,
+* we're using a single byte encoding */
map_to_unicode(this_char, to_uni_table,
this_char);
if (this_char == 0x) /* no mapping;
pass through */
goto pass_char_through;
}
+ /* the cursor may advance */
find_entity_for_char(this_char, charset,
entity_table.ms_table, rep,
rep_len, old, oldlen, cursor);
} else {
@@ -1397,6 +1400,10 @@
}
}
/* checks passed; copy entity to result */
+ /* entity size is unbounded, we may need more
memory */
+ if (maxlen len + ent_len + 2 /* and ; */) {
+ replaced = erealloc(replaced, (maxlen
+= ent_len + 128) + 1);
+ }
replaced[len++] = '';
memcpy(replaced[len], old[cursor], ent_len);
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt trunk/ext/openssl/tests/openssl_x509_pars
rasmus Sun, 05 Feb 2012 10:08:16 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=323075
Log:
Another openssl test that is dependent on the openssl version. The output has
changed in more recent versions. Synch with newer output and consider changing
the test to only pick out the more stable fields instead of all of them.
Changed paths:
U
php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt
U
php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt
U php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt
Modified:
php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt
===
---
php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt
2012-02-05 09:59:33 UTC (rev 323074)
+++
php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt
2012-02-05 10:08:16 UTC (rev 323075)
@@ -9,7 +9,7 @@
var_dump(openssl_x509_parse($cert));
var_dump(openssl_x509_parse($cert, false));
?
---EXPECT--
+--EXPECTF--
array(12) {
[name]=
string(96) /C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N.
Angelo/emailAddress=hnang...@php.net
@@ -27,7 +27,7 @@
string(16) hnang...@php.net
}
[hash]=
- string(8) 088c65c2
+ string(8) %s
[issuer]=
array(5) {
[C]=
@@ -54,7 +54,7 @@
[validTo_time_t]=
int(1217413723)
[purposes]=
- array(8) {
+ array(9) {
[1]=
array(3) {
[0]=
@@ -127,6 +127,15 @@
[2]=
string(10) ocsphelper
}
+[9]=
+array(3) {
+ [0]=
+ bool(false)
+ [1]=
+ bool(true)
+ [2]=
+ string(13) timestampsign
+}
}
[extensions]=
array(3) {
@@ -158,7 +167,7 @@
string(16) hnang...@php.net
}
[hash]=
- string(8) 088c65c2
+ string(8) %s
[issuer]=
array(5) {
[countryName]=
@@ -185,7 +194,7 @@
[validTo_time_t]=
int(1217413723)
[purposes]=
- array(8) {
+ array(9) {
[1]=
array(3) {
[0]=
@@ -258,6 +267,15 @@
[2]=
string(11) OCSP helper
}
+[9]=
+array(3) {
+ [0]=
+ bool(false)
+ [1]=
+ bool(true)
+ [2]=
+ string(18) Time Stamp signing
+}
}
[extensions]=
array(3) {
Modified:
php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt
===
---
php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt
2012-02-05 09:59:33 UTC (rev 323074)
+++
php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt
2012-02-05 10:08:16 UTC (rev 323075)
@@ -9,7 +9,7 @@
var_dump(openssl_x509_parse($cert));
var_dump(openssl_x509_parse($cert, false));
?
---EXPECT--
+--EXPECTF--
array(12) {
[name]=
string(96) /C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N.
Angelo/emailAddress=hnang...@php.net
@@ -27,7 +27,7 @@
string(16) hnang...@php.net
}
[hash]=
- string(8) 088c65c2
+ string(8) %s
[issuer]=
array(5) {
[C]=
@@ -54,7 +54,7 @@
[validTo_time_t]=
int(1217413723)
[purposes]=
- array(8) {
+ array(9) {
[1]=
array(3) {
[0]=
@@ -127,6 +127,15 @@
[2]=
string(10) ocsphelper
}
+[9]=
+array(3) {
+ [0]=
+ bool(false)
+ [1]=
+ bool(true)
+ [2]=
+ string(13) timestampsign
+}
}
[extensions]=
array(3) {
@@ -158,7 +167,7 @@
string(16) hnang...@php.net
}
[hash]=
- string(8) 088c65c2
+ string(8) %s
[issuer]=
array(5) {
[countryName]=
@@ -185,7 +194,7 @@
[validTo_time_t]=
int(1217413723)
[purposes]=
- array(8) {
+ array(9) {
[1]=
array(3) {
[0]=
@@ -258,6 +267,15 @@
[2]=
string(11) OCSP helper
}
+[9]=
+array(3) {
+ [0]=
+ bool(false)
+ [1]=
+ bool(true)
+ [2]=
+ string(18) Time Stamp signing
+}
}
[extensions]=
array(3) {
Modified: php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt
===
--- php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt
2012-02-05 09:59:33 UTC (rev 323074)
+++ php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt
2012-02-05 10:08:16 UTC (rev 323075)
@@ -9,7 +9,7 @@
var_dump(openssl_x509_parse($cert));
var_dump(openssl_x509_parse($cert, false));
?
---EXPECT--
+--EXPECTF--
array(12) {
[name]=
string(96) /C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N.
Angelo/emailAddress=hnang...@php.net
@@ -27,7 +27,7 @@
string(16) hnang...@php.net
}
[hash]=
- string(8) 088c65c2
+ string(8) %s
[issuer]=
array(5) {
[C]=
@@ -54,7 +54,7 @@
[validTo_time_t]=
int(1217413723)
[purposes]=
- array(8) {
+ array(9) {
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt trunk/ext/intl/tests/date
rasmus Sun, 05 Feb 2012 10:29:34 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323076 Log: Without a timezone you can't know whether it is dst or not in this one Changed paths: U php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt U php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt U php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt Modified: php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt === --- php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:08:16 UTC (rev 323075) +++ php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:29:34 UTC (rev 323076) @@ -78,7 +78,7 @@ // Run the test ut_run(); ? ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -96,7 +96,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG Error : 'Date parsing failed: U_PARSE_ERROR' IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL Error : 'Date parsing failed: U_PARSE_ERROR' --- Modified: php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt === --- php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:08:16 UTC (rev 323075) +++ php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:29:34 UTC (rev 323076) @@ -78,7 +78,7 @@ // Run the test ut_run(); ? ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -96,7 +96,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG Error : 'Date parsing failed: U_PARSE_ERROR' IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL Error : 'Date parsing failed: U_PARSE_ERROR' --- Modified: php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt === --- php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:08:16 UTC (rev 323075) +++ php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:29:34 UTC (rev 323076) @@ -78,7 +78,7 @@ // Run the test ut_run(); ? ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -96,7 +96,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG Error : 'Date parsing failed: U_PARSE_ERROR' IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL Error : 'Date parsing failed: U_PARSE_ERROR' --- -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt trunk/ext/intl/tests/dateformat_localtime.phpt
rasmus Sun, 05 Feb 2012 10:35:56 + Revision: http://svn.php.net/viewvc?view=revisionrevision=323077 Log: Same thing here. June 18, 1969 8:49:59 AM does not contain a timezone, so there is no way to know whether dst should be applied or not. Changed paths: U php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt U php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt U php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt Modified: php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt === --- php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:29:34 UTC (rev 323076) +++ php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:35:56 UTC (rev 323077) @@ -92,7 +92,7 @@ // Run the test ut_run(); ? ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -110,7 +110,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL --- @@ -130,4 +130,4 @@ IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -IntlDateFormatter : DateType::FULL, TimeType::FULL \ No newline at end of file +IntlDateFormatter : DateType::FULL, TimeType::FULL Modified: php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt === --- php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:29:34 UTC (rev 323076) +++ php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:35:56 UTC (rev 323077) @@ -92,7 +92,7 @@ // Run the test ut_run(); ? ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -110,7 +110,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL --- @@ -130,4 +130,4 @@ IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -IntlDateFormatter : DateType::FULL, TimeType::FULL \ No newline at end of file +IntlDateFormatter : DateType::FULL, TimeType::FULL Modified: php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt === --- php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:29:34 UTC (rev 323076) +++ php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:35:56 UTC (rev 323077) @@ -92,7 +92,7 @@ // Run the test ut_run(); ? ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -110,7 +110,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL --- @@ -130,4 +130,4 @@ IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -IntlDateFormatter : DateType::FULL, TimeType::FULL \ No newline at end of file +IntlDateFormatter : DateType::FULL, TimeType::FULL -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
I didn't carefully review this patch, but doesn't this code suffer from
potential math overflow?
i.e. with strlen($input_str) INT_MAX/2 (or UINT_MAX/2)
Nuno
- Original Message -
From: Gustavo André dos Santos Lopes cataphr...@php.net
To: php-cvs@lists.php.net
Sent: Sunday, February 05, 2012 9:59 AM
Subject: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS
ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
cataphract Sun, 05 Feb 2012 09:59:33 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=323074
Log:
- Merge r323056 (see bug #60965).
Bug: https://bugs.php.net/60965 (Critical) Buffer overflow on
htmlspecialchars/entities with $double=false
Changed paths:
U php/php-src/branches/PHP_5_4/NEWS
U php/php-src/branches/PHP_5_4/ext/standard/html.c
A +
php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt
(from
php/php-src/trunk/ext/standard/tests/strings/bug60965.phpt:r323056)
Modified: php/php-src/branches/PHP_5_4/NEWS
===
--- php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:58:50 UTC (rev 323073)
+++ php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:59:33 UTC (rev 323074)
@@ -1,10 +1,13 @@
PHP
NEWS
|||
?? Feb 2012, PHP 5.4.0 RC 8
+- Core:
+ . Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with
+$double=false). (Gustavo)
02 Feb 2012, PHP 5.4.0 RC 7
- Core:
- . Fix bug #60895 (Possible invalid handler usage in windows random
+ . Fixed bug #60895 (Possible invalid handler usage in windows random
functions). (Pierre)
. Fixed bug #51860 (Include fails with toplevel symlink to /). (Dmitry)
. Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods.
Modified: php/php-src/branches/PHP_5_4/ext/standard/html.c
===
--- php/php-src/branches/PHP_5_4/ext/standard/html.c 2012-02-05 09:58:50
UTC (rev 323073)
+++ php/php-src/branches/PHP_5_4/ext/standard/html.c 2012-02-05 09:59:33
UTC (rev 323074)
@@ -1215,7 +1215,6 @@
size_t cursor, maxlen, len;
char *replaced;
enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
- int matches_map;
int doctype = flags ENT_HTML_DOC_TYPE_MASK;
entity_table_opt entity_table;
const enc_to_uni *to_uni_table = NULL;
@@ -1253,12 +1252,14 @@
}
}
+ /* initial estimate */
if (oldlen 64) {
maxlen = 128;
} else {
maxlen = 2 * oldlen;
}
- replaced = emalloc(maxlen);
+
+ replaced = emalloc(maxlen + 1);
len = 0;
cursor = 0;
while (cursor oldlen) {
@@ -1271,7 +1272,7 @@
/* guarantee we have at least 40 bytes to write.
* In HTML5, entities may take up to 33 bytes */
if (len + 40 maxlen) {
- replaced = erealloc(replaced, maxlen += 128);
+ replaced = erealloc(replaced, (maxlen += 128) + 1);
}
if (status == FAILURE) {
@@ -1291,7 +1292,6 @@
mbsequence = old[cursor_before];
mbseqlen = cursor - cursor_before;
}
- matches_map = 0;
if (this_char != '') { /* no entity on this position */
const unsigned char *rep = NULL;
@@ -1302,12 +1302,15 @@
goto pass_char_through;
if (all) { /* false that CHARSET_PARTIAL_SUPPORT(charset) */
- /* look for entity for this char */
if (to_uni_table != NULL) {
+ /* !CHARSET_UNICODE_COMPAT therefore not UTF-8; since UTF-8
+ * is the only multibyte encoding with !CHARSET_PARTIAL_SUPPORT,
+ * we're using a single byte encoding */
map_to_unicode(this_char, to_uni_table, this_char);
if (this_char == 0x) /* no mapping; pass through */
goto pass_char_through;
}
+ /* the cursor may advance */
find_entity_for_char(this_char, charset, entity_table.ms_table, rep,
rep_len, old, oldlen, cursor);
} else {
@@ -1397,6 +1400,10 @@
}
}
/* checks passed; copy entity to result */
+ /* entity size is unbounded, we may need more memory */
+ if (maxlen len + ent_len + 2 /* and ; */) {
+ replaced = erealloc(replaced, (maxlen += ent_len + 128) + 1);
+ }
replaced[len++] = '';
memcpy(replaced[len], old[cursor], ent_len);
len += ent_len;
Copied:
php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt
(from rev 323056,
php/php-src/trunk/ext/standard/tests/strings/bug60965.phpt)
===
--- php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt
(rev 0)
+++ php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt
2012-02-05 09:59:33 UTC (rev 323074)
@@ -0,0 +1,10 @@
+--TEST--
+Bug #60965: Buffer overflow on htmlspecialchars/entities with
$double=false
+--FILE--
+?php
+echo
htmlspecialchars('#x05;',
+ENT_QUOTES, 'UTF-8', false), \n;
+echo Done.\n;
+--EXPECT--
[PHP-CVS] svn: /php/php-src/trunk/sapi/cli/ php_cli_server.c
cataphract Sun, 05 Feb 2012 11:45:01 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=323078
Log:
- Connection: close, not closed.
Changed paths:
U php/php-src/trunk/sapi/cli/php_cli_server.c
Modified: php/php-src/trunk/sapi/cli/php_cli_server.c
===
--- php/php-src/trunk/sapi/cli/php_cli_server.c 2012-02-05 10:35:56 UTC (rev
323077)
+++ php/php-src/trunk/sapi/cli/php_cli_server.c 2012-02-05 11:45:01 UTC (rev
323078)
@@ -351,7 +351,7 @@
smart_str_appendl_ex(buffer, \r\n, 2, persistent);
}
}
- smart_str_appendl_ex(buffer, Connection: closed\r\n,
sizeof(Connection: closed\r\n) - 1, persistent);
+ smart_str_appendl_ex(buffer, Connection: close\r\n,
sizeof(Connection: close\r\n) - 1, persistent);
} /* }}} */
static const char *get_mime_type(const char *ext, size_t ext_len) /* {{{ */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 5 Feb 2012 10:55:39 -, Nuno Lopes wrote: I didn't carefully review this patch, but doesn't this code suffer from potential math overflow? i.e. with strlen($input_str) INT_MAX/2 (or UINT_MAX/2) All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 05 Feb 2012 14:00:11 +0100, Gustavo Lopes wrote: On Sun, 5 Feb 2012 10:55:39 -, Nuno Lopes wrote: I didn't carefully review this patch, but doesn't this code suffer from potential math overflow? i.e. with strlen($input_str) INT_MAX/2 (or UINT_MAX/2) All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
2012/2/5 Gustavo Lopes glo...@nebm.ist.utl.pt: All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 5 Feb 2012 14:37:27 +0100, Pierre Joye wrote: 2012/2/5 Gustavo Lopes glo...@nebm.ist.utl.pt: All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. SIZE_MAX is indeed the limit of size_t. See ISO/IEC 9899:TC3, section 7.18.3 on http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf (page 259). Forgetting the irrelevant case where size_t is 16 bit wide, there is indeed a potential problem if size_t is 32-bit wide. First, if you can pass a string with about 2GB you could the multiplication by 2 would wrap around. But you could even pass a smaller string (possibly 10/15 times less, I don't know what's the maximum expansion factor of htmlentities) and then it could wrap in the reallocation. I'll take this into account. -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/standard/ html.c
cataphract Sun, 05 Feb 2012 14:57:57 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=323079
Log:
- Fixed possible unsigned int wrap around in html.c. Note that 5.3 has the same
(potential) problem; even though the code is substantially different, the
variable name and the fashion it was incremented was kept.
Changed paths:
U php/php-src/trunk/ext/standard/html.c
Modified: php/php-src/trunk/ext/standard/html.c
===
--- php/php-src/trunk/ext/standard/html.c 2012-02-05 11:45:01 UTC (rev
323078)
+++ php/php-src/trunk/ext/standard/html.c 2012-02-05 14:57:57 UTC (rev
323079)
@@ -1257,9 +1257,13 @@
maxlen = 128;
} else {
maxlen = 2 * oldlen;
+ if (maxlen oldlen) {
+ zend_error_noreturn(E_ERROR, Input string is too
long);
+ return NULL;
+ }
}
- replaced = emalloc(maxlen + 1);
+ replaced = emalloc(maxlen + 1); /* adding 1 is safe: maxlen is even */
len = 0;
cursor = 0;
while (cursor oldlen) {
@@ -1271,8 +1275,9 @@
/* guarantee we have at least 40 bytes to write.
* In HTML5, entities may take up to 33 bytes */
- if (len + 40 maxlen) {
- replaced = erealloc(replaced, (maxlen += 128) + 1);
+ if (len maxlen - 40) { /* maxlen can never be smaller than
128 */
+ replaced = safe_erealloc(replaced, maxlen , 1, 128 + 1);
+ maxlen += 128;
}
if (status == FAILURE) {
@@ -1401,8 +1406,11 @@
}
/* checks passed; copy entity to result */
/* entity size is unbounded, we may need more
memory */
- if (maxlen len + ent_len + 2 /* and ; */) {
- replaced = erealloc(replaced, (maxlen
+= ent_len + 128) + 1);
+ /* at this point maxlen - len = 40 */
+ if (maxlen - len ent_len + 2 /* and ; */) {
+ /* ent_len oldlen, which is certainly
= SIZE_MAX/2 */
+ replaced = safe_erealloc(replaced,
maxlen, 1, ent_len + 128 + 1);
+ maxlen += ent_len + 128;
}
replaced[len++] = '';
memcpy(replaced[len], old[cursor], ent_len);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 05 Feb 2012 15:00:11 +0100, Gustavo Lopes wrote: On Sun, 5 Feb 2012 14:37:27 +0100, Pierre Joye wrote: 2012/2/5 Gustavo Lopes glo...@nebm.ist.utl.pt: All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. SIZE_MAX is indeed the limit of size_t. See ISO/IEC 9899:TC3, section 7.18.3 on http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf (page 259). Forgetting the irrelevant case where size_t is 16 bit wide, there is indeed a potential problem if size_t is 32-bit wide. First, if you can pass a string with about 2GB you could the multiplication by 2 would wrap around. But you could even pass a smaller string (possibly 10/15 times less, I don't know what's the maximum expansion factor of htmlentities) and then it could wrap in the reallocation. I'll take this into account. See http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/html.c?r1=323079r2=323078pathrev=323079 I don't know if this is worth merging to 5.4 at this point; after all 5.3 has the same problem. -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 05 Feb 2012 15:00:11 +0100, Gustavo Lopes wrote: On Sun, 5 Feb 2012 14:37:27 +0100, Pierre Joye wrote: 2012/2/5 Gustavo Lopes glo...@nebm.ist.utl.pt: All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. SIZE_MAX is indeed the limit of size_t. See ISO/IEC 9899:TC3, section 7.18.3 on http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf (page 259). Forgetting the irrelevant case where size_t is 16 bit wide, there is indeed a potential problem if size_t is 32-bit wide. First, if you can pass a string with about 2GB you could the multiplication by 2 would wrap around. But you could even pass a smaller string (possibly 10/15 times less, I don't know what's the maximum expansion factor of htmlentities) and then it could wrap in the reallocation. I'll take this into account. See http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/html.c?r1=323079r2=323078pathrev=323079 I don't know if this is worth merging to 5.4 at this point; after all 5.3 has the same problem. Obrigado! I think this bug (although probably exploitable) is low risk, since it requires a large 'memory_limit' value to be triggable. Your last patch seems good to me. Nuno -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
