From: Antony Dovgal <tony2001@php.net>
Date: Wed, 3 Feb 2016 11:48:38 +0000 (+0300)
Subject: check length first, prevent out-of-bounds read
X-Git-Tag: php-7.2.0alpha1~620^2~16
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=64e8cfadf518c722cc9f1e35c5167b9763855201;p=php

check length first, prevent out-of-bounds read
---

diff --git a/ext/session/session.c b/ext/session/session.c
index 5f44f991c1..866fab68a4 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -2963,7 +2963,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
 				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
 					zval_dtor(&progress->sid);
 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
-				} else if (memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
+				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
 					smart_str_free(&progress->key);
 					smart_str_appends(&progress->key, PS(rfc1867_prefix));
 					smart_str_appendl(&progress->key, *data->value, value_len);