From: Antony Dovgal <tony2001@php.net>
Date: Wed, 3 Feb 2016 11:48:38 +0000 (+0300)
Subject: check length first, prevent out-of-bounds read
X-Git-Tag: php-7.1.0alpha2~54^2~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f81e95c33fdebf5d219b9e83c4c15488e35d77c;p=php

check length first, prevent out-of-bounds read
---

diff --git a/ext/session/session.c b/ext/session/session.c
index d67045ed89..10094424d4 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -2942,7 +2942,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
 				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
 					zval_dtor(&progress->sid);
 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
-				} else if (memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
+				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
 					smart_str_free(&progress->key);
 					smart_str_appends(&progress->key, PS(rfc1867_prefix));
 					smart_str_appendl(&progress->key, *data->value, value_len);