From 630def46f7673fac548cbf88a92b568f06e6ef6d Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 25 May 2006 06:40:04 +0000
Subject: [PATCH] Fixed bug #37496 (FastCGI output buffer overrun)

---
 NEWS               | 1 +
 sapi/cgi/fastcgi.c | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index fb41f7ad3d..7600e7703c 100644
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,7 @@ PHP                                                                        NEWS
 - Fixed bug #37505 (touch() truncates large files). (Ilia)
 - Fixed bug #37499 (CLI segmentation faults during cleanup with sybase-ct 
   extension enabled). (Tony)
+- Fixed bug #37496 (FastCGI output buffer overrun). (Piotr, Dmitry)
 - Fixed bug #37487 (oci_fetch_array() array-type should always default to
   OCI_BOTH). (Tony)
 - Fixed bug #37395 (recursive mkdir() fails to create nonexistent directories 
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 609c68eac1..1a6cd54ac1 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -798,6 +798,7 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
 	limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
 	if (!req->out_hdr) {
 		limit -= sizeof(fcgi_header);
+		if (limit < 0) limit = 0;
 	}
 
 	if (len < limit) {
@@ -810,8 +811,10 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l
 		if (!req->out_hdr) {
 			open_packet(req, type);
 		}
-		memcpy(req->out_pos, str, limit);
-		req->out_pos += limit;
+		if (limit > 0) {
+			memcpy(req->out_pos, str, limit);
+			req->out_pos += limit;
+		}
 		if (!fcgi_flush(req, 0)) {
 			return -1;
 		}
-- 
2.40.0