]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cd387b4)
FIx bug #68618 (out of bounds read crashes php-cgi)
authorStanislav Malyshev <stas@php.net>
Tue, 30 Dec 2014 09:23:05 +0000 (01:23 -0800)
committerStanislav Malyshev <stas@php.net>
Tue, 30 Dec 2014 09:23:05 +0000 (01:23 -0800)
NEWS patch | blob | history
sapi/cgi/cgi_main.c patch | blob | history

diff --git a/NEWS b/NEWS
index 581f3a62b880ec6da3cc0a30a023a1653183741a..fa57ef3161c3d77d060bbb8ec5414c80bc618045 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20?? PHP 5.4.37
+- CGI:
+  . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
 
 18 Dec 2014 PHP 5.4.36
 
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index b8ff878fe4cc56d451b1d571d2dd574d3c359c28..0af98a47d47aa992794840975125a885cab1a716 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -2429,14 +2429,17 @@ consult the installation file that came with this distribution, or visit \n\
                                                    int i = 1;
 
                                                    c = file_handle.handle.stream.mmap.buf[i++];
-                                                       while (c != '\n' && c != '\r' && c != EOF) {
+                                                       while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) {
                                                                c = file_handle.handle.stream.mmap.buf[i++];
                                                        }
                                                        if (c == '\r') {
-                                                               if (file_handle.handle.stream.mmap.buf[i] == '\n') {
+                                                               if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') {
                                                                        i++;
                                                                }
                                                        }
+                                                       if(i > file_handle.handle.stream.mmap.len) {
+                                                               i = file_handle.handle.stream.mmap.len;
+                                                       }
                                                        file_handle.handle.stream.mmap.buf += i;
                                                        file_handle.handle.stream.mmap.len -= i;
                                                }
Unnamed repository; edit this file 'description' to name the repository.