From f9ad3086693fce680fbe246e4a45aa92edd2ac35 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 30 Dec 2014 01:23:05 -0800
Subject: FIx bug #68618 (out of bounds read crashes php-cgi)

---
 NEWS                | 2 ++
 sapi/cgi/cgi_main.c | 7 +++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 581f3a62b8..fa57ef3161 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20?? PHP 5.4.37
+- CGI:
+  . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
 
 18 Dec 2014 PHP 5.4.36
 
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index b8ff878fe4..0af98a47d4 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -2429,14 +2429,17 @@ consult the installation file that came with this distribution, or visit \n\
 						    int i = 1;
 
 						    c = file_handle.handle.stream.mmap.buf[i++];
-							while (c != '\n' && c != '\r' && c != EOF) {
+							while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) {
 								c = file_handle.handle.stream.mmap.buf[i++];
 							}
 							if (c == '\r') {
-								if (file_handle.handle.stream.mmap.buf[i] == '\n') {
+								if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') {
 									i++;
 								}
 							}
+							if(i > file_handle.handle.stream.mmap.len) {
+								i = file_handle.handle.stream.mmap.len;
+							}
 							file_handle.handle.stream.mmap.buf += i;
 							file_handle.handle.stream.mmap.len -= i;
 						}
-- 
cgit v1.2.1