From 302c53fc5d6b43957142e48bdc3c73f8a80f6773 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 22 May 2006 09:22:20 +0000
Subject: [PATCH] Fixed bug #37496 (FastCGI output buffer overrun)

---
 sapi/cgi/fastcgi.c | 42 +++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 2ae5311dec..609c68eac1 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -764,15 +764,17 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
 	if (req->out_hdr && req->out_hdr->type != type) {
 		close_packet(req);
 	}
-	rest = len;
 #if 0
-	/* Unoptinmzed, but clear version */
+	/* Unoptimized, but clear version */
+	rest = len;
 	while (rest > 0) {
 		limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
 
 		if (!req->out_hdr) {
 			if (limit < sizeof(fcgi_header)) {
-				fcgi_flush(req, 0);
+				if (!fcgi_flush(req, 0)) {
+					return -1;
+				}
 			}
 			open_packet(req, type);
 		}
@@ -786,32 +788,38 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
 			req->out_pos += limit;
 			rest -= limit;
 			str += limit;
-			fcgi_flush(req, 0);
+			if (!fcgi_flush(req, 0)) {
+				return -1;
+			}
 		}
 	}
 #else
-	/* Optinmzed version */
+	/* Optimized version */
+	limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
 	if (!req->out_hdr) {
-		rest += sizeof(fcgi_header);
+		limit -= sizeof(fcgi_header);
 	}
-	limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
 
-	if (rest < limit) {
+	if (len < limit) {
 		if (!req->out_hdr) {
 			open_packet(req, type);
 		}
 		memcpy(req->out_pos, str, len);
 		req->out_pos += len;
-	} else if (rest - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
+	} else if (len - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
 		if (!req->out_hdr) {
 			open_packet(req, type);
 		}
 		memcpy(req->out_pos, str, limit);
 		req->out_pos += limit;
-		fcgi_flush(req, 0);
-		open_packet(req, type);
-		memcpy(req->out_pos, str + limit, len - limit);
-		req->out_pos += len - limit;
+		if (!fcgi_flush(req, 0)) {
+			return -1;
+		}
+		if (len > limit) {
+			open_packet(req, type);
+			memcpy(req->out_pos, str + limit, len - limit);
+			req->out_pos += len - limit;
+		}
 	} else {
 		int pos = 0;
 		int pad;
@@ -821,7 +829,9 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
 			open_packet(req, type);
 			fcgi_make_header(req->out_hdr, type, req->id, 0xfff8);
 			req->out_hdr = NULL;
-			fcgi_flush(req, 0);
+			if (!fcgi_flush(req, 0)) {
+				return -1;
+			}
 			if (safe_write(req, str + pos, 0xfff8) != 0xfff8) {
 				req->keep = 0;
 				return -1;
@@ -835,7 +845,9 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
 		open_packet(req, type);
 		fcgi_make_header(req->out_hdr, type, req->id, (len - pos) - rest);
 		req->out_hdr = NULL;
-		fcgi_flush(req, 0);
+		if (!fcgi_flush(req, 0)) {
+			return -1;
+		}
 		if (safe_write(req, str + pos, (len - pos) - rest) != (len - pos) - rest) {
 			req->keep = 0;
 			return -1;
-- 
2.40.0