From 6f81e95c33fdebf5d219b9e83c4c15488e35d77c Mon Sep 17 00:00:00 2001
From: Antony Dovgal <tony2001@php.net>
Date: Wed, 3 Feb 2016 14:48:38 +0300
Subject: [PATCH] check length first, prevent out-of-bounds read

---
 ext/session/session.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/session/session.c b/ext/session/session.c
index d67045ed89..10094424d4 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -2942,7 +2942,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
 				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
 					zval_dtor(&progress->sid);
 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
-				} else if (memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
+				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
 					smart_str_free(&progress->key);
 					smart_str_appends(&progress->key, PS(rfc1867_prefix));
 					smart_str_appendl(&progress->key, *data->value, value_len);
-- 
2.40.0