From 6744737577bcbae4ff3d0082f23c9282758cacbb Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Sun, 3 Jul 2016 09:30:33 +0800
Subject: [PATCH] Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)

---
 NEWS                    | 3 +++
 ext/session/mod_files.c | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index c8abefe432..3e2be90c56 100644
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,9 @@ PHP                                                                        NEWS
   . Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
     (Laruence)
 
+- Session:
+  . Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
+
 - Streams:
   . Fixed bug #72439 (Stream socket with remote address leads to a segmentation
     fault). (Laruence)
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index b380cfe86b..64a6c47e00 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -294,6 +294,11 @@ static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)
 
 	dirname_len = strlen(dirname);
 
+	if (dirname_len >= MAXPATHLEN) {
+		php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: dirname(%s) is too long", dirname);
+		return (0);
+	}
+
 	/* Prepare buffer (dirname never changes) */
 	memcpy(buf, dirname, dirname_len);
 	buf[dirname_len] = PHP_DIR_SEPARATOR;
-- 
2.50.1