diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-12-30 01:27:20 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-12-30 01:27:20 -0800 |
| commit | 16b904cc1cf4c3c645b56512036ef4eb377aeebc (patch) | |
| tree | 31a07d7d484f9b9109fb49d667d7ad633cf559d0 | |
| parent | f2fc1bdb3357b0501ee3277a84d80efe2ece5f2d (diff) | |
| parent | 4c0f17caca1fc0a9fab66ada9c43c960011308f0 (diff) | |
| download | php-git-16b904cc1cf4c3c645b56512036ef4eb377aeebc.tar.gz | |
Merge branch 'PHP-5.6'
* PHP-5.6:
FIx bug #68618 (out of bounds read crashes php-cgi)
Fixed bug #68676 (Explicit Double Free)
Fixed bug #68676 (Explicit Double Free)
| -rw-r--r-- | sapi/cgi/cgi_main.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 2bc7b047e5..4d6f4c1920 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -2414,14 +2414,17 @@ consult the installation file that came with this distribution, or visit \n\ int i = 1; c = file_handle.handle.stream.mmap.buf[i++]; - while (c != '\n' && c != '\r' && c != EOF) { + while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) { c = file_handle.handle.stream.mmap.buf[i++]; } if (c == '\r') { - if (file_handle.handle.stream.mmap.buf[i] == '\n') { + if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') { i++; } } + if(i > file_handle.handle.stream.mmap.len) { + i = file_handle.handle.stream.mmap.len; + } file_handle.handle.stream.mmap.buf += i; file_handle.handle.stream.mmap.len -= i; } |