Fix bug #75981: prevent reading beyond buffer start

2 files changed, 34 insertions, 2 deletions

diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index ed6adc0039..78bd935a0e 100644
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -737,9 +737,9 @@ finish:
 								tmp_line, response_code);
 				}
 			}
-			if (tmp_line[tmp_line_len - 1] == '\n') {
+			if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
 				--tmp_line_len;
-				if (tmp_line[tmp_line_len - 1] == '\r') {
+				if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
 					--tmp_line_len;
 				}
 			}
diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
new file mode 100644
index 0000000000..d415de66b9
--- /dev/null
+++ b/ext/standard/tests/http/bug75981.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #75981 (stack-buffer-overflow while parsing HTTP response)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
+--FILE--
+<?php
+require 'server.inc';
+
+$options = [
+  'http' => [
+    'protocol_version' => '1.1',
+    'header' => 'Connection: Close'
+  ],
+];
+
+$ctx = stream_context_create($options);
+
+$responses = [
+	"data://text/plain,000000000100\xA\xA"
+];
+$pid = http_server('tcp://127.0.0.1:12342', $responses);
+
+echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
+
+http_server_kill($pid);
+
+?>
+DONE
+--EXPECT--
+DONE