Fix bug #75981: prevent reading beyond buffer start

diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index ed6adc00398888faf3ec2af0f57930ee30da15f8..78bd935a0e2bcf371980a15845f4ada578d5a188 100644 (file)
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -737,9 +737,9 @@ finish:
                                                                tmp_line, response_code);
                                }
                        }
-                       if (tmp_line[tmp_line_len - 1] == '\n') {
+                       if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
                                --tmp_line_len;
-                               if (tmp_line[tmp_line_len - 1] == '\r') {
+                               if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
                                        --tmp_line_len;
                                }
                        }

diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
new file mode 100644 (file)
index 0000000..d415de6
--- /dev/null
+++ b/ext/standard/tests/http/bug75981.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #75981 (stack-buffer-overflow while parsing HTTP response)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
+--FILE--
+<?php
+require 'server.inc';
+
+$options = [
+  'http' => [
+    'protocol_version' => '1.1',
+    'header' => 'Connection: Close'
+  ],
+];
+
+$ctx = stream_context_create($options);
+
+$responses = [
+       "data://text/plain,000000000100\xA\xA"
+];
+$pid = http_server('tcp://127.0.0.1:12342', $responses);
+
+echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
+
+http_server_kill($pid);
+
+?>
+DONE
+--EXPECT--
+DONE