Fixed bug #37496 (FastCGI output buffer overrun)

author Dmitry Stogov <dmitry@php.net>

Mon, 22 May 2006 09:22:20 +0000 (09:22 +0000)

committer Dmitry Stogov <dmitry@php.net>

Mon, 22 May 2006 09:22:20 +0000 (09:22 +0000)
author Dmitry Stogov <dmitry@php.net>
Mon, 22 May 2006 09:22:20 +0000 (09:22 +0000)
committer Dmitry Stogov <dmitry@php.net>
Mon, 22 May 2006 09:22:20 +0000 (09:22 +0000)
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c

index 2ae5311dec7086486199184eef7fbcdccfc397fd..609c68eac10a07264f0512944735a12653791de7 100644 (file)
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -764,15 +764,17 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
         if (req->out_hdr && req->out_hdr->type != type) {
                 close_packet(req);
         }
-       rest = len;
  #if 0
-       /* Unoptinmzed, but clear version */
+       /* Unoptimized, but clear version */
+       rest = len;
         while (rest > 0) {
                 limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
  
                 if (!req->out_hdr) {
                         if (limit < sizeof(fcgi_header)) {
-                               fcgi_flush(req, 0);
+                               if (!fcgi_flush(req, 0)) {
+                                       return -1;
+                               }
                         }
                         open_packet(req, type);
                 }
@@ -786,32 +788,38 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
                         req->out_pos += limit;
                         rest -= limit;
                         str += limit;
-                       fcgi_flush(req, 0);
+                       if (!fcgi_flush(req, 0)) {
+                               return -1;
+                       }
                 }
         }
  #else
-       /* Optinmzed version */
+       /* Optimized version */
+       limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
         if (!req->out_hdr) {
-               rest += sizeof(fcgi_header);
+               limit -= sizeof(fcgi_header);
         }
-       limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
  
-       if (rest < limit) {
+       if (len < limit) {
                 if (!req->out_hdr) {
                         open_packet(req, type);
                 }
                 memcpy(req->out_pos, str, len);
                 req->out_pos += len;
-       } else if (rest - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
+       } else if (len - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
                 if (!req->out_hdr) {
                         open_packet(req, type);
                 }
                 memcpy(req->out_pos, str, limit);
                 req->out_pos += limit;
-               fcgi_flush(req, 0);
-               open_packet(req, type);
-               memcpy(req->out_pos, str + limit, len - limit);
-               req->out_pos += len - limit;
+               if (!fcgi_flush(req, 0)) {
+                       return -1;
+               }
+               if (len > limit) {
+                       open_packet(req, type);
+                       memcpy(req->out_pos, str + limit, len - limit);
+                       req->out_pos += len - limit;
+               }
         } else {
                 int pos = 0;
                 int pad;
@@ -821,7 +829,9 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
                         open_packet(req, type);
                         fcgi_make_header(req->out_hdr, type, req->id, 0xfff8);
                         req->out_hdr = NULL;
-                       fcgi_flush(req, 0);
+                       if (!fcgi_flush(req, 0)) {
+                               return -1;
+                       }
                         if (safe_write(req, str + pos, 0xfff8) != 0xfff8) {
                                 req->keep = 0;
                                 return -1;
@@ -835,7 +845,9 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
                 open_packet(req, type);
                 fcgi_make_header(req->out_hdr, type, req->id, (len - pos) - rest);
                 req->out_hdr = NULL;
-               fcgi_flush(req, 0);
+               if (!fcgi_flush(req, 0)) {
+                       return -1;
+               }
                 if (safe_write(req, str + pos, (len - pos) - rest) != (len - pos) - rest) {
                         req->keep = 0;
                         return -1;
author	Dmitry Stogov <dmitry@php.net>
	Mon, 22 May 2006 09:22:20 +0000 (09:22 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Mon, 22 May 2006 09:22:20 +0000 (09:22 +0000)