diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-05-24 15:52:15 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-05-24 15:52:15 -0700 |
| commit | e9559131152ab0fa89737db11ebe8f43e1435b96 (patch) | |
| tree | 0fd4087bc46c742bfd905faf59b1010ec5825679 | |
| parent | 7a1aac3343af85b4af4df5f8844946eaa27394ab (diff) | |
| download | php-git-e9559131152ab0fa89737db11ebe8f43e1435b96.tar.gz | |
Better fix for bug #72135
| -rw-r--r-- | ext/standard/html.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ext/standard/html.c b/ext/standard/html.c index 81d8aff9e9..c5fd4b87a8 100644 --- a/ext/standard/html.c +++ b/ext/standard/html.c @@ -1423,6 +1423,11 @@ encode_amp: } replaced[len] = '\0'; *newlen = len; + if(len > INT_MAX) { + zend_error_noreturn(E_ERROR, "Escaped string is too long"); + efree(replaced); + return NULL; + } return replaced; } @@ -1444,10 +1449,6 @@ static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all) } replaced = php_escape_html_entities_ex(str, str_len, &new_len, all, (int) flags, hint_charset, double_encode TSRMLS_CC); - if (new_len > INT_MAX) { - efree(replaced); - RETURN_FALSE; - } RETVAL_STRINGL(replaced, (int)new_len, 0); } /* }}} */ |