Better fix for bug #72135

smalyshev · smalyshev · commit e9559131152a · 2016-05-24T15:52:15.000-07:00
diff --git a/ext/standard/html.c b/ext/standard/html.c
@@ -1423,6 +1423,11 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size
 	}
 	replaced[len] = '\0';
 	*newlen = len;
+	if(len > INT_MAX) {
+		zend_error_noreturn(E_ERROR, "Escaped string is too long");
+		efree(replaced);
+		return NULL;
+	}
 
 	return replaced;
 }
@@ -1444,10 +1449,6 @@ static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)
 	}
 
 	replaced = php_escape_html_entities_ex(str, str_len, &new_len, all, (int) flags, hint_charset, double_encode TSRMLS_CC);
-	if (new_len > INT_MAX) {
-		efree(replaced);
-		RETURN_FALSE;
-	}
 	RETVAL_STRINGL(replaced, (int)new_len, 0);
 }
 /* }}} */

Original file line number	Diff line number	Diff line change
`@@ -1423,6 +1423,11 @@ PHPAPI char php_escape_html_entities_ex(unsigned char old, size_t oldlen, size`
`1423`	`1423`	`}`
`1424`	`1424`	`replaced[len] = '\0';`
`1425`	`1425`	`*newlen = len;`
	`1426`	`+ if(len > INT_MAX) {`
	`1427`	`+ zend_error_noreturn(E_ERROR, "Escaped string is too long");`
	`1428`	`+ efree(replaced);`
	`1429`	`+ return NULL;`
	`1430`	`+ }`
`1426`	`1431`
`1427`	`1432`	`return replaced;`
`1428`	`1433`	`}`
`@@ -1444,10 +1449,6 @@ static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)`
`1444`	`1449`	`}`
`1445`	`1450`
`1446`	`1451`	`replaced = php_escape_html_entities_ex(str, str_len, &new_len, all, (int) flags, hint_charset, double_encode TSRMLS_CC);`
`1447`		`- if (new_len > INT_MAX) {`
`1448`		`- efree(replaced);`
`1449`		`- RETURN_FALSE;`
`1450`		`- }`
`1451`	`1452`	`RETVAL_STRINGL(replaced, (int)new_len, 0);`
`1452`	`1453`	`}`
`1453`	`1454`	`/* }}} */`