dmitry Mon May 22 09:22:40 2006 UTC
Modified files: (Branch: PHP_5_1)
/php-src/sapi/cgi fastcgi.c
Log:
Fixed bug #37496 (FastCGI output buffer overrun)
http://cvs.php.net/viewcvs.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.4.2.13&r2=1.4.2.14&diff_format=u
Index: php-src/sapi/cgi/fastcgi.c
diff -u php-src/sapi/cgi/fastcgi.c:1.4.2.13 php-src/sapi/cgi/fastcgi.c:1.4.2.14
--- php-src/sapi/cgi/fastcgi.c:1.4.2.13 Fri May 5 07:05:34 2006
+++ php-src/sapi/cgi/fastcgi.c Mon May 22 09:22:40 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: fastcgi.c,v 1.4.2.13 2006/05/05 07:05:34 dmitry Exp $ */
+/* $Id: fastcgi.c,v 1.4.2.14 2006/05/22 09:22:40 dmitry Exp $ */
#include "fastcgi.h"
#include "php.h"
@@ -769,15 +769,17 @@
if (req->out_hdr && req->out_hdr->type != type) {
close_packet(req);
}
- rest = len;
#if 0
- /* Unoptinmzed, but clear version */
+ /* Unoptimized, but clear version */
+ rest = len;
while (rest > 0) {
limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
if (!req->out_hdr) {
if (limit < sizeof(fcgi_header)) {
- fcgi_flush(req, 0);
+ if (!fcgi_flush(req, 0)) {
+ return -1;
+ }
}
open_packet(req, type);
}
@@ -791,32 +793,38 @@
req->out_pos += limit;
rest -= limit;
str += limit;
- fcgi_flush(req, 0);
+ if (!fcgi_flush(req, 0)) {
+ return -1;
+ }
}
}
#else
- /* Optinmzed version */
+ /* Optimized version */
+ limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
if (!req->out_hdr) {
- rest += sizeof(fcgi_header);
+ limit -= sizeof(fcgi_header);
}
- limit = sizeof(req->out_buf) - (req->out_pos - req->out_buf);
- if (rest < limit) {
+ if (len < limit) {
if (!req->out_hdr) {
open_packet(req, type);
}
memcpy(req->out_pos, str, len);
req->out_pos += len;
- } else if (rest - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
+ } else if (len - limit < sizeof(req->out_buf) - sizeof(fcgi_header)) {
if (!req->out_hdr) {
open_packet(req, type);
}
memcpy(req->out_pos, str, limit);
req->out_pos += limit;
- fcgi_flush(req, 0);
- open_packet(req, type);
- memcpy(req->out_pos, str + limit, len - limit);
- req->out_pos += len - limit;
+ if (!fcgi_flush(req, 0)) {
+ return -1;
+ }
+ if (len > limit) {
+ open_packet(req, type);
+ memcpy(req->out_pos, str + limit, len - limit);
+ req->out_pos += len - limit;
+ }
} else {
int pos = 0;
int pad;
@@ -826,7 +834,9 @@
open_packet(req, type);
fcgi_make_header(req->out_hdr, type, req->id, 0xfff8);
req->out_hdr = NULL;
- fcgi_flush(req, 0);
+ if (!fcgi_flush(req, 0)) {
+ return -1;
+ }
if (safe_write(req, str + pos, 0xfff8) != 0xfff8) {
req->keep = 0;
return -1;
@@ -840,7 +850,9 @@
open_packet(req, type);
fcgi_make_header(req->out_hdr, type, req->id, (len - pos) -
rest);
req->out_hdr = NULL;
- fcgi_flush(req, 0);
+ if (!fcgi_flush(req, 0)) {
+ return -1;
+ }
if (safe_write(req, str + pos, (len - pos) - rest) != (len -
pos) - rest) {
req->keep = 0;
return -1;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
