- Fixed possible stack buffer overflow in FastCGI SAPI. (Andrey Nigmatulin)

- Fixed sending of uninitialized paddings which may contain some information.
  (Andrey Nigmatulin)

diff --git a/NEWS b/NEWS
index fa01bd5cbf8534c170f469435e47565a306b9041..dc3bcc3bb6d48ba161295907507f7d0e4ae44ea6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Apr 2008, PHP 5.2.6
+- Fixed possible stack buffer overflow in FastCGI SAPI. (Andrey Nigmatulin)
+- Fixed sending of uninitialized paddings which may contain some information.
+  (Andrey Nigmatulin)
 - Fixed bug #44613 (Crash inside imap_headerinfo()). (Ilia, jmessa)
 - Fixed bug #44594 (imap_open() does not validate # of retries parameter).
   (Ilia)

diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 9d77474b741c5ea14b5a52393a382284f1816945..cb51c81e506e500c238f7bf30a0e7c63732a4bf6 100644 (file)
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -593,6 +593,9 @@ static inline int fcgi_make_header(fcgi_header *hdr, fcgi_request_type type, int
        hdr->reserved = 0;
        hdr->type = type;
        hdr->version = FCGI_VERSION_1;
+       if (pad) {
+               memset(((unsigned char*)hdr) + sizeof(fcgi_header) + len, 0, pad);
+       }
        return pad;
 }
 
@@ -777,7 +780,7 @@ int fcgi_read(fcgi_request *req, char *str, int len)
 {
        int ret, n, rest;
        fcgi_header hdr;
-       unsigned char buf[8];
+       unsigned char buf[255];
 
        n = 0;
        rest = len;