The Hardened-PHP Project has put out another advisory for the PHP distribution itself, versions 5.1.6/4.4.4 and below dealing with the HTML entity encoder heap.

While we were searching for a hole in htmlspecialchars() and htmlentities() to bypass the encoding of certain chars to exploit a possible eval() injection hole in another application we discovered that the implementation contains a possible bufferoverflow that can be triggered when the UTF-8 charset is selected.

The issue has been corrected in the latest PHP 5 release - version 5.2 - but is still present in the PHP 4.4 series (they have a recommended patch until the new version is posted). You can get complete information about this issue from the full vulnerability listing.