diff options
author | Remi Collet <remi@php.net> | 2012-11-28 10:38:13 +0100 |
---|---|---|
committer | Remi Collet <remi@php.net> | 2012-11-28 10:38:13 +0100 |
commit | 487b7c7f320b5492a1c9398439e7298ba601ba5d (patch) | |
tree | 178121fd228f3fd59a5a20ef161a7990e6bc52fd | |
parent | 0f4772d12ff0fb95e2d8d2dc54b9b49d4ba8db96 (diff) | |
parent | bc492007da8c8614545a32560c445ab4e02baed0 (diff) | |
download | php-git-487b7c7f320b5492a1c9398439e7298ba601ba5d.tar.gz |
Merge branch 'PHP-5.3' into PHP-5.4
* PHP-5.3:
Fixed Bug #63581 Possible buffer overflow
Fixed Bug #63581 Possible null dereference
-rw-r--r-- | sapi/fpm/fpm/fpm_events.c | 8 | ||||
-rw-r--r-- | sapi/fpm/fpm/fpm_log.c | 7 |
2 files changed, 10 insertions, 5 deletions
diff --git a/sapi/fpm/fpm/fpm_events.c b/sapi/fpm/fpm/fpm_events.c index d5f7483b4f..d5835f0f7e 100644 --- a/sapi/fpm/fpm/fpm_events.c +++ b/sapi/fpm/fpm/fpm_events.c @@ -188,7 +188,9 @@ static int fpm_event_queue_del(struct fpm_event_queue_s **queue, struct fpm_even } if (q == *queue) { *queue = q->next; - (*queue)->prev = NULL; + if (*queue) { + (*queue)->prev = NULL; + } } /* ask the event module to remove the fd from its own queue */ @@ -432,7 +434,9 @@ void fpm_event_loop(int err) /* {{{ */ } if (q == fpm_event_queue_timer) { fpm_event_queue_timer = q->next; - fpm_event_queue_timer->prev = NULL; + if (fpm_event_queue_timer) { + fpm_event_queue_timer->prev = NULL; + } } q = q->next; free(q2); diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c index 69bd31b113..6b014b5005 100644 --- a/sapi/fpm/fpm/fpm_log.c +++ b/sapi/fpm/fpm/fpm_log.c @@ -96,7 +96,7 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp) /* {{{ */ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */ { char *s, *b; - char buffer[FPM_LOG_BUFFER]; + char buffer[FPM_LOG_BUFFER+1]; int token, test; size_t len, len2; struct fpm_scoreboard_proc_s proc, *proc_p; @@ -146,9 +146,10 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */ s = log_format; while (*s != '\0') { - if (len > FPM_LOG_BUFFER) { + /* Test is we have place for 1 more char. */ + if (len >= FPM_LOG_BUFFER) { zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER); - len = FPM_LOG_BUFFER - 1; + len = FPM_LOG_BUFFER; break; } |