From c3408755ec458e22a4690cb48e5792102d552a3a Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@php.net>
Date: Mon, 23 Jun 2008 11:38:10 +0000
Subject: [PATCH] Fixed possible buffer overflow

---
 sapi/cgi/cgi_main.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 7266b1b3f1..8ea189e277 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -721,12 +721,16 @@ static int sapi_cgi_activate(TSRMLS_D)
 	    (PG(user_ini_filename) && *PG(user_ini_filename))) {
 		/* Prepare search path */
 		path_len = strlen(SG(request_info).path_translated);
-		path = estrndup(SG(request_info).path_translated, path_len);
-		path_len = zend_dirname(path, path_len);
 
 		/* Make sure we have trailing slash! */
-		if (!IS_SLASH(path[path_len])) {
+		if (!IS_SLASH(SG(request_info).path_translated[path_len])) {
+			path = emalloc(path_len + 2);
+			memcpy(path, SG(request_info).path_translated, path_len + 1);
+			path_len = zend_dirname(path, path_len);
 			path[path_len++] = DEFAULT_SLASH;
+		} else {
+			path = estrndup(SG(request_info).path_translated, path_len);
+			path_len = zend_dirname(path, path_len);
 		}
 		path[path_len] = 0;
 
-- 
2.50.1