From 8054f84a3c6799eb7a82c19f37ed65b21b15396b Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Mon, 23 Jun 2008 11:37:50 +0000 Subject: [PATCH] Fixed possible buffer overflow --- sapi/cgi/cgi_main.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 794bfbb34d..45271536b9 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -723,12 +723,16 @@ static int sapi_cgi_activate(TSRMLS_D) (PG(user_ini_filename) && *PG(user_ini_filename))) { /* Prepare search path */ path_len = strlen(SG(request_info).path_translated); - path = estrndup(SG(request_info).path_translated, path_len); - path_len = zend_dirname(path, path_len); /* Make sure we have trailing slash! */ - if (!IS_SLASH(path[path_len])) { + if (!IS_SLASH(SG(request_info).path_translated[path_len])) { + path = emalloc(path_len + 2); + memcpy(path, SG(request_info).path_translated, path_len + 1); + path_len = zend_dirname(path, path_len); path[path_len++] = DEFAULT_SLASH; + } else { + path = estrndup(SG(request_info).path_translated, path_len); + path_len = zend_dirname(path, path_len); } path[path_len] = 0; -- 2.50.1