Merge branch 'PHP-5.3' into PHP-5.4

* PHP-5.3:
  Fixed Bug #63581 Possible buffer overflow
  Fixed Bug #63581 Possible null dereference

2 files changed, 10 insertions, 5 deletions

diff --git a/sapi/fpm/fpm/fpm_events.c b/sapi/fpm/fpm/fpm_events.c
index d5f7483b4f..d5835f0f7e 100644
--- a/sapi/fpm/fpm/fpm_events.c
+++ b/sapi/fpm/fpm/fpm_events.c
@@ -188,7 +188,9 @@ static int fpm_event_queue_del(struct fpm_event_queue_s **queue, struct fpm_even
 			}
 			if (q == *queue) {
 				*queue = q->next;
-				(*queue)->prev = NULL;
+				if (*queue) {
+					(*queue)->prev = NULL;
+				}
 			}
 
 			/* ask the event module to remove the fd from its own queue */
@@ -432,7 +434,9 @@ void fpm_event_loop(int err) /* {{{ */
 						}
 						if (q == fpm_event_queue_timer) {
 							fpm_event_queue_timer = q->next;
-							fpm_event_queue_timer->prev = NULL;
+							if (fpm_event_queue_timer) {
+								fpm_event_queue_timer->prev = NULL;
+							}
 						}
 						q = q->next;
 						free(q2);
diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c
index 69bd31b113..6b014b5005 100644
--- a/sapi/fpm/fpm/fpm_log.c
+++ b/sapi/fpm/fpm/fpm_log.c
@@ -96,7 +96,7 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp)  /* {{{ */
 int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
 {
 	char *s, *b;
-	char buffer[FPM_LOG_BUFFER];
+	char buffer[FPM_LOG_BUFFER+1];
 	int token, test;
 	size_t len, len2;
 	struct fpm_scoreboard_proc_s proc, *proc_p;
@@ -146,9 +146,10 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
 	s = log_format;
 
 	while (*s != '\0') {
-		if (len > FPM_LOG_BUFFER) {
+		/* Test is we have place for 1 more char. */
+		if (len >= FPM_LOG_BUFFER) {
 			zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
-			len = FPM_LOG_BUFFER - 1;
+			len = FPM_LOG_BUFFER;
 			break;
 		}