Fixed possible buffer overflow

author Dmitry Stogov <dmitry@php.net>

Mon, 23 Jun 2008 11:38:10 +0000 (11:38 +0000)

committer Dmitry Stogov <dmitry@php.net>

Mon, 23 Jun 2008 11:38:10 +0000 (11:38 +0000)
author Dmitry Stogov <dmitry@php.net>
Mon, 23 Jun 2008 11:38:10 +0000 (11:38 +0000)
committer Dmitry Stogov <dmitry@php.net>
Mon, 23 Jun 2008 11:38:10 +0000 (11:38 +0000)
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c

index 7266b1b3f1ed6450eb8c59ab2f54870841f124bc..8ea189e277a30ca7e512a79e41206a0d062a63c5 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -721,12 +721,16 @@ static int sapi_cgi_activate(TSRMLS_D)
             (PG(user_ini_filename) && *PG(user_ini_filename))) {
                 /* Prepare search path */
                 path_len = strlen(SG(request_info).path_translated);
-               path = estrndup(SG(request_info).path_translated, path_len);
-               path_len = zend_dirname(path, path_len);
  
                 /* Make sure we have trailing slash! */
-               if (!IS_SLASH(path[path_len])) {
+               if (!IS_SLASH(SG(request_info).path_translated[path_len])) {
+                       path = emalloc(path_len + 2);
+                       memcpy(path, SG(request_info).path_translated, path_len + 1);
+                       path_len = zend_dirname(path, path_len);
                         path[path_len++] = DEFAULT_SLASH;
+               } else {
+                       path = estrndup(SG(request_info).path_translated, path_len);
+                       path_len = zend_dirname(path, path_len);
                 }
                 path[path_len] = 0;
author	Dmitry Stogov <dmitry@php.net>
	Mon, 23 Jun 2008 11:38:10 +0000 (11:38 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Mon, 23 Jun 2008 11:38:10 +0000 (11:38 +0000)