Avoid possible buffer overflow.

author Edin Kadribasic <edink@php.net>

Fri, 22 Nov 2002 15:47:39 +0000 (15:47 +0000)

committer Edin Kadribasic <edink@php.net>

Fri, 22 Nov 2002 15:47:39 +0000 (15:47 +0000)
author Edin Kadribasic <edink@php.net>
Fri, 22 Nov 2002 15:47:39 +0000 (15:47 +0000)
committer Edin Kadribasic <edink@php.net>
Fri, 22 Nov 2002 15:47:39 +0000 (15:47 +0000)
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c

index 119c7021dc3f6745bfed73d461105fea1afd57d4..208fdc41a0564eef90ad0b0ba80172cf43f11744 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -234,10 +234,11 @@ static void sapi_cgibin_flush(void *server_context)
         }
  }
  
+#define SAPI_CGI_MAX_HEADER_LENGTH 1024
  
  static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
  {
-       char buf[1024];
+       char buf[SAPI_CGI_MAX_HEADER_LENGTH];
         sapi_header_struct *h;
         zend_llist_position pos;
         long rfc2616_headers = 0;
@@ -255,7 +256,13 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
                 int len;
                 
                 if (rfc2616_headers) {
-                       len = sprintf(buf, "%s\r\n", SG(sapi_headers).http_status_line);
+                       len = snprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, 
+                                                  "%s\r\n", SG(sapi_headers).http_status_line);
+
+                       if (len > SAPI_CGI_MAX_HEADER_LENGTH) {
+                               len = SAPI_CGI_MAX_HEADER_LENGTH;
+                       }
+
                 } else {
                         len = sprintf(buf, "Status: %d\r\n", SG(sapi_headers).http_response_code);
                 }
author	Edin Kadribasic <edink@php.net>
	Fri, 22 Nov 2002 15:47:39 +0000 (15:47 +0000)
committer	Edin Kadribasic <edink@php.net>
	Fri, 22 Nov 2002 15:47:39 +0000 (15:47 +0000)