diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | sapi/cgi/fastcgi.c | 7 |
2 files changed, 6 insertions, 2 deletions
@@ -53,6 +53,7 @@ PHP NEWS - Fixed bug #37505 (touch() truncates large files). (Ilia) - Fixed bug #37499 (CLI segmentation faults during cleanup with sybase-ct extension enabled). (Tony) +- Fixed bug #37496 (FastCGI output buffer overrun). (Piotr, Dmitry) - Fixed bug #37487 (oci_fetch_array() array-type should always default to OCI_BOTH). (Tony) - Fixed bug #37395 (recursive mkdir() fails to create nonexistent directories diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c index 609c68eac1..1a6cd54ac1 100644 --- a/sapi/cgi/fastcgi.c +++ b/sapi/cgi/fastcgi.c @@ -798,6 +798,7 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf); if (!req->out_hdr) { limit -= sizeof(fcgi_header); + if (limit < 0) limit = 0; } if (len < limit) { @@ -810,8 +811,10 @@ int fcgi_write(fcgi_request *req, fcgi_request_type type, const char *str, int l if (!req->out_hdr) { open_packet(req, type); } - memcpy(req->out_pos, str, limit); - req->out_pos += limit; + if (limit > 0) { + memcpy(req->out_pos, str, limit); + req->out_pos += limit; + } if (!fcgi_flush(req, 0)) { return -1; } |