diff options
author | Stanislav Malyshev <stas@php.net> | 2014-12-30 01:25:30 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-12-30 01:26:00 -0800 |
commit | 71c970077d9ad46fc595095c50f211b3136d6459 (patch) | |
tree | 711b42dcf81d052c9c50f291444143c3efb06182 | |
parent | fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6 (diff) | |
parent | f9ad3086693fce680fbe246e4a45aa92edd2ac35 (diff) | |
download | php-git-71c970077d9ad46fc595095c50f211b3136d6459.tar.gz |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
FIx bug #68618 (out of bounds read crashes php-cgi)
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | sapi/cgi/cgi_main.c | 7 |
2 files changed, 8 insertions, 2 deletions
@@ -18,6 +18,9 @@ (CVE-2014-8142) (Stefan Esser) . Fixed bug #68676 (Explicit Double Free). (Kalle) +- CGI: + . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas) + - cURL: . Fixed bug #67643 (curl_multi_getcontent returns '' when CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans) diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 41ebd494f4..032ecc1289 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -2434,14 +2434,17 @@ consult the installation file that came with this distribution, or visit \n\ int i = 1; c = file_handle.handle.stream.mmap.buf[i++]; - while (c != '\n' && c != '\r' && c != EOF) { + while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) { c = file_handle.handle.stream.mmap.buf[i++]; } if (c == '\r') { - if (file_handle.handle.stream.mmap.buf[i] == '\n') { + if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') { i++; } } + if(i > file_handle.handle.stream.mmap.len) { + i = file_handle.handle.stream.mmap.len; + } file_handle.handle.stream.mmap.buf += i; file_handle.handle.stream.mmap.len -= i; } |