From 068a78014f678f066ba6a6b6d864a7f49530057c Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Wed, 19 Jan 2011 08:38:25 +0000
Subject: [PATCH] Added checks for malformated FastCGI requests (Edgar Frank)

---
 sapi/cgi/fastcgi.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index a5e4efa0fa..23fa043e3e 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -605,28 +605,39 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 {
 	char buf[128];
 	char *tmp = buf;
-	int buf_size = sizeof(buf);
-	int name_len, val_len;
+	size_t buf_size = sizeof(buf);
+	unsigned int name_len, val_len;
 	char *s;
 	int ret = 1;
 
 	while (p < end) {
 		name_len = *p++;
 		if (name_len >= 128) {
+			if (p + 3 >= end) {
+				ret = 0;
+				break;
+			}
 			name_len = ((name_len & 0x7f) << 24);
 			name_len |= (*p++ << 16);
 			name_len |= (*p++ << 8);
 			name_len |= *p++;
 		}
+		if (p >= end) {
+			ret = 0;
+			break;
+		}
 		val_len = *p++;
 		if (val_len >= 128) {
+			if (p + 3 >= end) {
+				ret = 0;
+				break;
+			}
 			val_len = ((val_len & 0x7f) << 24);
 			val_len |= (*p++ << 16);
 			val_len |= (*p++ << 8);
 			val_len |= *p++;
 		}
-		if (name_len + val_len < 0 ||
-		    name_len + val_len > end - p) {
+		if (name_len + val_len > end - p) {
 			/* Malformated request */
 			ret = 0;
 			break;
-- 
2.40.0