Fixed bug #37496 (FastCGI output buffer overrun)

author Dmitry Stogov <dmitry@php.net>

Thu, 25 May 2006 06:40:47 +0000 (06:40 +0000)

committer Dmitry Stogov <dmitry@php.net>

Thu, 25 May 2006 06:40:47 +0000 (06:40 +0000)
author Dmitry Stogov <dmitry@php.net>
Thu, 25 May 2006 06:40:47 +0000 (06:40 +0000)
committer Dmitry Stogov <dmitry@php.net>
Thu, 25 May 2006 06:40:47 +0000 (06:40 +0000)
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c

index 609c68eac10a07264f0512944735a12653791de7..1a6cd54ac1587954eb30b0b22442c6a3e1125dfd 100644 (file)
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -798,6 +798,7 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
         limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
         if (!req->out_hdr) {
                 limit -= sizeof(fcgi_header);
+               if (limit < 0) limit = 0;
         }
  
         if (len < limit) {
@@ -810,8 +811,10 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
                 if (!req->out_hdr) {
                         open_packet(req, type);
                 }
-               memcpy(req->out_pos, str, limit);
-               req->out_pos += limit;
+               if (limit > 0) {
+                       memcpy(req->out_pos, str, limit);
+                       req->out_pos += limit;
+               }
                 if (!fcgi_flush(req, 0)) {
                         return -1;
                 }
author	Dmitry Stogov <dmitry@php.net>
	Thu, 25 May 2006 06:40:47 +0000 (06:40 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Thu, 25 May 2006 06:40:47 +0000 (06:40 +0000)