Index: php-5.3.17/ext/standard/html.c
===================================================================
--- php-5.3.17.orig/ext/standard/html.c 2012-09-12 23:27:16.000000000 +0200
+++ php-5.3.17/ext/standard/html.c 2016-06-01 08:45:19.800666430 +0200
@@ -1265,6 +1265,11 @@ encode_amp:
}
replaced[len] = '\0';
*newlen = len;
+ if(len < 0) {
+ zend_error_noreturn(E_ERROR, "Escaped string is too long");
+ efree(replaced);
+ return NULL;
+ }
return replaced;
Index: php-5.3.17/Zend/zend_operators.c
===================================================================
--- php-5.3.17.orig/Zend/zend_operators.c 2012-09-12 23:27:16.000000000 +0200
+++ php-5.3.17/Zend/zend_operators.c 2016-06-01 09:25:21.051174241 +0200
@@ -1213,6 +1213,12 @@ ZEND_API int add_string_to_string(zval *
{
int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
+ if (length < 0)
+ {
+ zend_error(E_ERROR, "string operator too long");
+ return FAILURE;
+ }
+
Z_STRVAL_P(result) = (char *) erealloc(Z_STRVAL_P(op1), length+1);
memcpy(Z_STRVAL_P(result)+Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
Z_STRVAL_P(result)[length] = 0;