From 23ba6c1bd3b99f74d5feaee6fa40b4ec34762369 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 8 Dec 2005 02:54:27 +0000
Subject: [PATCH] MFH: Fixed bug #34359 (Possible crash inside fopen http
 wrapper).

---
 NEWS                              |  1 +
 ext/standard/http_fopen_wrapper.c | 30 +++++++++---------------------
 2 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/NEWS b/NEWS
index c6558e07fd..36321ebc39 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ PHP 4                                                                      NEWS
 - Fixed bug #35278 (Multiple virtual() calls crash Apache 2 php module). (Ilia)
 - Fixed bug #35062 (socket_read() produces warnings on non blocking sockets).
   (Nuno, Ilia)
+- Fixed bug #34359 (Possible crash inside fopen http wrapper). (Ilia,Nuno,Sara)
 - Fixed bug #33153 (crash in mssql_next result). (Frank)
 - Fixed bug #32009 (crash when mssql_bind() is called more than once). (Frank)
 - Fixed bug #33963 (mssql_bind() fails on input parameters). (Frank)
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index 5339f58288..fec88cfe8a 100644
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -392,28 +392,16 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
 	
 	http_header_line = emalloc(HTTP_HEADER_BLOCK_SIZE);
 
-	while (!body && !php_stream_eof(stream))	{
-		
-		if (php_stream_gets(stream, http_header_line, HTTP_HEADER_BLOCK_SIZE-1) != NULL)	{
-			char *p;
-			int found_eol = 0;
-			int http_header_line_length;
-			
-			http_header_line[HTTP_HEADER_BLOCK_SIZE-1] = '\0';
-
-			p = http_header_line;
-			while(*p) {
-				while(*p == '\n' || *p == '\r')	{
-					*p = '\0';
-					p--;
-					found_eol = 1;
-				}
-				if (found_eol)
-					break;
-				p++;
+	while (!body && !php_stream_eof(stream)) {
+		size_t http_header_line_length;
+		if (php_stream_get_line(stream, http_header_line, HTTP_HEADER_BLOCK_SIZE, &http_header_line_length TSRMLS_CC) && *http_header_line != '\n' && *http_header_line != '\r') {
+			char *e = http_header_line + http_header_line_length - 1;
+			while (*e == '\n' || *e == '\r') {
+				e--;
 			}
-			http_header_line_length = p-http_header_line+1;
-		
+			http_header_line_length = e - http_header_line + 1;
+			http_header_line[http_header_line_length] = '\0';
+
 			if (!strncasecmp(http_header_line, "Location: ", 10)) {
 				strlcpy(location, http_header_line + 10, sizeof(location));
 			} else if (!strncasecmp(http_header_line, "Content-Type: ", 14)) {
-- 
2.40.0