This is the patch, updated to apply to 5.1.2-1 in Debian.
Regards, Allard Hoeve
Index: ext/standard/html.c
===================================================================
--- ext/standard/html.c (revision 36)
+++ ext/standard/html.c (working copy)
@@ -884,7 +884,7 @@
unsigned char replacement[15];
int replacement_len;
- ret = estrdup(old);
+ ret = estrdup(old, oldlen);
retlen = oldlen;
if (!retlen) {
goto empty_source;
