From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 3 Apr 2008 10:24:44 +0000 (+0000)
Subject: - Fixed possible stack buffer overflow in FastCGI SAPI. (Andrey Nigmatulin)
X-Git-Tag: php-5.2.6RC4~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1dd17ad54a0bd05d51af4eb61f568e7eb8d817c4;p=php

- Fixed possible stack buffer overflow in FastCGI SAPI. (Andrey Nigmatulin)
- Fixed sending of uninitialized paddings which may contain some information.
  (Andrey Nigmatulin)
---

diff --git a/NEWS b/NEWS
index fa01bd5cbf..dc3bcc3bb6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Apr 2008, PHP 5.2.6
+- Fixed possible stack buffer overflow in FastCGI SAPI. (Andrey Nigmatulin)
+- Fixed sending of uninitialized paddings which may contain some information.
+  (Andrey Nigmatulin)
 - Fixed bug #44613 (Crash inside imap_headerinfo()). (Ilia, jmessa)
 - Fixed bug #44594 (imap_open() does not validate # of retries parameter).
   (Ilia)
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 9d77474b74..cb51c81e50 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -593,6 +593,9 @@ static inline int fcgi_make_header(fcgi_header *hdr, fcgi_request_type type, int
 	hdr->reserved = 0;
 	hdr->type = type;
 	hdr->version = FCGI_VERSION_1;
+	if (pad) {
+		memset(((unsigned char*)hdr) + sizeof(fcgi_header) + len, 0, pad);
+	}
 	return pad;
 }
 
@@ -777,7 +780,7 @@ int fcgi_read(fcgi_request *req, char *str, int len)
 {
 	int ret, n, rest;
 	fcgi_header hdr;
-	unsigned char buf[8];
+	unsigned char buf[255];
 
 	n = 0;
 	rest = len;