From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 23 Jun 2008 11:38:10 +0000 (+0000)
Subject: Fixed possible buffer overflow
X-Git-Tag: BEFORE_HEAD_NS_CHANGE~1485
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c3408755ec458e22a4690cb48e5792102d552a3a;p=php

Fixed possible buffer overflow
---

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 7266b1b3f1..8ea189e277 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -721,12 +721,16 @@ static int sapi_cgi_activate(TSRMLS_D)
 	    (PG(user_ini_filename) && *PG(user_ini_filename))) {
 		/* Prepare search path */
 		path_len = strlen(SG(request_info).path_translated);
-		path = estrndup(SG(request_info).path_translated, path_len);
-		path_len = zend_dirname(path, path_len);
 
 		/* Make sure we have trailing slash! */
-		if (!IS_SLASH(path[path_len])) {
+		if (!IS_SLASH(SG(request_info).path_translated[path_len])) {
+			path = emalloc(path_len + 2);
+			memcpy(path, SG(request_info).path_translated, path_len + 1);
+			path_len = zend_dirname(path, path_len);
 			path[path_len++] = DEFAULT_SLASH;
+		} else {
+			path = estrndup(SG(request_info).path_translated, path_len);
+			path_len = zend_dirname(path, path_len);
 		}
 		path[path_len] = 0;