From 60cca8b9c9b879295dbf1f76e305882e347dcb53 Mon Sep 17 00:00:00 2001
From: Jerome Loyet <fat@php.net>
Date: Sat, 26 May 2012 19:27:45 +0200
Subject: [PATCH] Fixed bug #61218 (FPM drops connection while receiving some
 binary values in FastCGI requests)

---
 NEWS                   |  2 ++
 sapi/fpm/fpm/fastcgi.c | 48 +++++++-----------------------------------
 2 files changed, 10 insertions(+), 40 deletions(-)

diff --git a/NEWS b/NEWS
index 8314eda612..eed55f1e1a 100644
--- a/NEWS
+++ b/NEWS
@@ -66,6 +66,8 @@ PHP                                                                        NEWS
   . Fixed bug #62153 (when using unix sockets, multiples FPM instances
     can be launched without errors). (fat)
   . Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
+  . Fixed bug #61218 (FPM drops connection while receiving some binary values
+    in FastCGI requests). (fat)
 
 - Intl
   . ResourceBundle constructor now accepts NULL for the first two arguments.
diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index 212b6ff1db..9df26f11cd 100644
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -395,39 +395,12 @@ static inline size_t fcgi_get_params_len( int *result, unsigned char *p, unsigne
 	return ret;
 }
 
-static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char *end, uint *eff_len)
-{
-	int ret = 1;
-	int zero_found = 0;
-        *eff_len = 0;
-	for (; p != end; ++p) {
-		if (*p == '\0') {
-			zero_found = 1;
-		}
-		else {
-			if (zero_found) {
-				ret = 0;
-				break;
-			}
-			if (*eff_len < ((uint)-1)) {
-				++*eff_len;
-			}
-			else {
-				ret = 0;
-				break;
-			}
-		}
-	}
-	return ret;
-}
-
 static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end)
 {
 	char buf[128];
 	char *tmp = buf;
 	size_t buf_size = sizeof(buf);
 	int name_len, val_len;
-	uint eff_name_len, eff_val_len;
 	char *s;
 	int ret = 1;
 	size_t bytes_consumed;
@@ -453,32 +426,27 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 			ret = 0;
 			break;
 		}
-		if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) ||
-		    !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, &eff_val_len)) {
-			/* Malicious request */
-			ret = 0;
-			break;
-		}
-		if (eff_name_len >= buf_size-1) {
-			if (eff_name_len > ((uint)-1)-64) { 
+
+		if (name_len >= buf_size-1) {
+			if (name_len > ((uint)-1)-64) { 
 				ret = 0;
 				break;
 			}
-			buf_size = eff_name_len + 64;
+			buf_size = name_len + 64;
 			tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, buf_size));
 			if (tmp == NULL) {
 				ret = 0;
 				break;
 			}
 		}
-		memcpy(tmp, p, eff_name_len);
-		tmp[eff_name_len] = 0;
-		s = estrndup((char*)p + name_len, eff_val_len);
+		memcpy(tmp, p, name_len);
+		tmp[name_len] = 0;
+		s = estrndup((char*)p + name_len, val_len);
 		if (s == NULL) {
 			ret = 0;
 			break;
 		}
-		zend_hash_update(req->env, tmp, eff_name_len+1, &s, sizeof(char*), NULL);
+		zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), NULL);
 		p += name_len + val_len;
 	}
 	if (tmp != buf && tmp != NULL) {
-- 
2.40.0