Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5:
  Fix #66479: Wrong response to FCGI_GET_VALUES

2 files changed, 5 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index 847ddd8765..eaa587b7a3 100644
--- a/NEWS
+++ b/NEWS
@@ -3,10 +3,10 @@
 ?? Feb 2015, PHP 5.6.6
 
 - Core:
-  . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
-    buffer overflow). (Stas)
   . Fixed bug #67068 (getClosure returns somethings that's not a closure).
     (Danack at basereality dot com)
+  . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
+    buffer overflow). (Stas)
 
 - Dba:
   . Fixed bug #68711 (useless comparisons). (bugreports at internot dot info)
@@ -23,6 +23,7 @@
     gifs). (Anatol)
 
 - FPM:
+  . Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle)
   . Fixed bug #68571 (core dump when webserver close the socket).
     (redfoxli069 at gmail dot com, Laruence)
 
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index 98d503ec72..b79fbfac4b 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -998,6 +998,7 @@ static int fcgi_read_request(fcgi_request *req)
 		q = req->env.list;
 		while (q != NULL) {
 			if (zend_hash_find(&fcgi_mgmt_vars, q->var, q->var_len, (void**) &value) != SUCCESS) {
+				q = q->list_next;
 				continue;
 			}
 			zlen = Z_STRLEN_PP(value);
@@ -1024,6 +1025,7 @@ static int fcgi_read_request(fcgi_request *req)
 			p += q->var_len;
 			memcpy(p, Z_STRVAL_PP(value), zlen);
 			p += zlen;
+			q = q->list_next;
 		}
 		len = p - buf - sizeof(fcgi_header);
 		len += fcgi_make_header((fcgi_header*)buf, FCGI_GET_VALUES_RESULT, 0, len);