From 3766f870d4f2e6911ae6e735bfc274f54b982e7c Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 24 Feb 2004 21:53:57 +0000
Subject: [PATCH] MFH: Fixed bug #27383 (Potential crash inside fopen_wrapper,
 while parsing response code).

---
 NEWS                              |  2 ++
 ext/standard/http_fopen_wrapper.c | 17 +++++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index b8a0edf829..c41daa3a0e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2004, Version 4.3.5
+- Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing
+  response code). (Ilia)
 - Fixed bug #27341 (HEAD requests fail to return data). (Ilia)
 - Fixed bug #27337 (missing sapi_shutdown() in sapi/isapi causes memory leak). 
   (Jani, msisolak at yahoo dot com)
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index d7a33d031f..c5961bc1bc 100644
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -339,17 +339,22 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
 	}
 
 
-	if (!php_stream_eof(stream))	{
+	if (!php_stream_eof(stream)) {
+		size_t tmp_line_len;
 		/* get response header */
 
-		if (php_stream_gets(stream, tmp_line, sizeof(tmp_line)-1) != NULL)	{
+		if (_php_stream_get_line(stream, tmp_line, sizeof(tmp_line) - 1, &tmp_line_len) != NULL) {
 			zval *http_response;
 			int response_code;
 
 			MAKE_STD_ZVAL(http_response);
 			ZVAL_NULL(http_response);
 
-			response_code = atoi(tmp_line + 9);
+			if (tmp_line_len > 9) {
+				response_code = atoi(tmp_line + 9);
+			} else {
+				response_code = 0;
+			}
 			switch(response_code) {
 				case 200:
 				case 302:
@@ -361,11 +366,15 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
 							tmp_line, response_code);
 					break;
 				default:
+					/* safety net in the event tmp_line == NULL */
+					if (!tmp_line_len) {
+						tmp_line[0] = '\0';
+					}
 					php_stream_notify_error(context, PHP_STREAM_NOTIFY_FAILURE,
 							tmp_line, response_code);
 			}
 			
-			Z_STRLEN_P(http_response) = strlen(tmp_line);
+			Z_STRLEN_P(http_response) = tmp_line_len;
 			Z_STRVAL_P(http_response) = estrndup(tmp_line, Z_STRLEN_P(http_response));
 			if (Z_STRVAL_P(http_response)[Z_STRLEN_P(http_response)-1]=='\n') {
 				Z_STRVAL_P(http_response)[Z_STRLEN_P(http_response)-1]=0;
-- 
2.40.0