From: Dmitry Stogov <dmitry@php.net>
Date: Fri, 7 Sep 2007 08:30:10 +0000 (+0000)
Subject: Added checks for malformated FastCGI requests (Mattias Bengtsson)
X-Git-Tag: RELEASE_2_0_0a1~1867
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0507b17657cb9353e72c8f51d36b8511bd2a305a;p=php

Added checks for malformated FastCGI requests (Mattias Bengtsson)
---

diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 50f8a250b1..85855036d3 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -620,7 +620,8 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 			val_len |= (*p++ << 8);
 			val_len |= *p++;
 		}
-		if (p + name_len + val_len > end) {
+		if (name_len + val_len < 0 ||
+		    name_len + val_len > end - p) {
 			/* Malformated request */
 			ret = 0;
 			break;
@@ -676,6 +677,10 @@ static int fcgi_read_request(fcgi_request *req)
 		padding = hdr.paddingLength;
 	}
 
+	if (len + padding > FCGI_MAX_LENGTH) {
+		return 0;
+	}
+
 	req->id = (hdr.requestIdB1 << 8) + hdr.requestIdB0;
 
 	if (hdr.type == FCGI_BEGIN_REQUEST && len == sizeof(fcgi_begin_request)) {