fix memory leak and possible invalid reads

author: Antony Dovgal <tony2001@php.net> 2006-02-15 11:15:32 +0000
committer: Antony Dovgal <tony2001@php.net> 2006-02-15 11:15:32 +0000
commit: 82b6ccbc30b07dc1cfa4830a938e5c8e09256c85 (patch)
tree: 01538edcdd208af1ed1b2e7757491ac16427a6a8 /sapi/isapi/php5isapi.c
parent: 80683424838b3276ca415fcdfc712158ab2a7e3d (diff)
download: php-git-82b6ccbc30b07dc1cfa4830a938e5c8e09256c85.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/sapi/isapi/php5isapi.c b/sapi/isapi/php5isapi.c
index 97b3a5f51c..315932257a 100644
--- a/sapi/isapi/php5isapi.c
+++ b/sapi/isapi/php5isapi.c
@@ -279,14 +279,18 @@ static int sapi_isapi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 			break;
 		default: {
 			const char *sline = SG(sapi_headers).http_status_line;
-			
-			status_buf = emalloc(MAX_STATUS_LENGTH + 1);
+			int sline_len;
 			
 			/* httpd requires that r->status_line is set to the first digit of
 			 * the status-code: */
-			if (sline && strlen(sline) > 12 && strncmp(sline, "HTTP/1.", 7) == 0 && sline[8] == ' ') {
-				status_buf = estrndup(sline + 9, MAX_STATUS_LENGTH);
+			if (sline && ((sline_len = strlen(sline)) > 12) && strncmp(sline, "HTTP/1.", 7) == 0 && sline[8] == ' ') {
+				if ((sline_len - 9) > MAX_STATUS_LENGTH) {
+					status_buf = estrndup(sline + 9, MAX_STATUS_LENGTH);
+				} else {
+					status_buf = estrndup(sline + 9, sline_len - 9);
+				}
 			} else {
+				status_buf = emalloc(MAX_STATUS_LENGTH + 1);
 				snprintf(status_buf, MAX_STATUS_LENGTH, "%d Undescribed", SG(sapi_headers).http_response_code);
 			}
 			header_info.pszStatus = status_buf;
author	Antony Dovgal <tony2001@php.net>	2006-02-15 11:15:32 +0000
committer	Antony Dovgal <tony2001@php.net>	2006-02-15 11:15:32 +0000
commit	82b6ccbc30b07dc1cfa4830a938e5c8e09256c85 (patch)
tree	01538edcdd208af1ed1b2e7757491ac16427a6a8 /sapi/isapi/php5isapi.c
parent	80683424838b3276ca415fcdfc712158ab2a7e3d (diff)
download	php-git-82b6ccbc30b07dc1cfa4830a938e5c8e09256c85.tar.gz