dmitry Mon Oct 16 10:46:59 2006 UTC
Modified files: (Branch: PHP_5_2)
/php-src/sapi/cgi fastcgi.c
/php-src NEWS
Log:
Fixed bug #39020 (PHP in FastCGI server mode crashes)
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.4.2.13.2.10&r2=1.4.2.13.2.11&diff_format=u
Index: php-src/sapi/cgi/fastcgi.c
diff -u php-src/sapi/cgi/fastcgi.c:1.4.2.13.2.10
php-src/sapi/cgi/fastcgi.c:1.4.2.13.2.11
--- php-src/sapi/cgi/fastcgi.c:1.4.2.13.2.10 Wed Sep 13 13:03:01 2006
+++ php-src/sapi/cgi/fastcgi.c Mon Oct 16 10:46:59 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: fastcgi.c,v 1.4.2.13.2.10 2006/09/13 13:03:01 dmitry Exp $ */
+/* $Id: fastcgi.c,v 1.4.2.13.2.11 2006/10/16 10:46:59 dmitry Exp $ */
#include "php.h"
#include "fastcgi.h"
@@ -390,13 +390,14 @@
return pad;
}
-static void fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char
*end)
+static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char
*end)
{
char buf[128];
char *tmp = buf;
int buf_size = sizeof(buf);
int name_len, val_len;
char *s;
+ int ret = 1;
while (p < end) {
name_len = *p++;
@@ -413,6 +414,11 @@
val_len |= (*p++ << 8);
val_len |= *p++;
}
+ if (p + name_len + val_len > end) {
+ /* Malformated request */
+ ret = 0;
+ break;
+ }
if (name_len+1 >= buf_size) {
buf_size = name_len + 64;
tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp,
buf_size));
@@ -426,6 +432,7 @@
if (tmp != buf && tmp != NULL) {
efree(tmp);
}
+ return ret;
}
static void fcgi_free_var(char **s)
@@ -503,7 +510,11 @@
req->keep = 0;
return 0;
}
- fcgi_get_params(req, buf, buf+len);
+
+ if (!fcgi_get_params(req, buf, buf+len)) {
+ req->keep = 0;
+ return 0;
+ }
if (safe_read(req, &hdr, sizeof(fcgi_header)) !=
sizeof(fcgi_header) ||
hdr.version < FCGI_VERSION_1) {
@@ -518,9 +529,14 @@
unsigned char *p = buf + sizeof(fcgi_header);
if (safe_read(req, buf, len+padding) != len+padding) {
+ req->keep = 0;
+ return 0;
+ }
+
+ if (!fcgi_get_params(req, buf, buf+len)) {
+ req->keep = 0;
return 0;
}
- fcgi_get_params(req, buf, buf+len);
for (j = 0; j <
sizeof(fcgi_mgmt_vars)/sizeof(fcgi_mgmt_vars[0]); j++) {
if (zend_hash_exists(&req->env, fcgi_mgmt_vars[j].name,
fcgi_mgmt_vars[j].name_len+1) == 0) {
@@ -531,6 +547,7 @@
len = p - buf - sizeof(fcgi_header);
len += fcgi_make_header((fcgi_header*)buf,
FCGI_GET_VALUES_RESULT, 0, len);
if (safe_write(req, buf, sizeof(fcgi_header)+len) !=
(int)sizeof(fcgi_header)+len) {
+ req->keep = 0;
return 0;
}
return 0;
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.305&r2=1.2027.2.547.2.306&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.305 php-src/NEWS:1.2027.2.547.2.306
--- php-src/NEWS:1.2027.2.547.2.305 Fri Oct 13 01:42:20 2006
+++ php-src/NEWS Mon Oct 16 10:46:59 2006
@@ -3,6 +3,7 @@
12 Oct 2006, PHP 5.2.0RC6
- Fixed invalid read in imagecreatefrompng when an empty file is given
(Pierre, Tony)
+- Fixed bug #39020 (PHP in FastCGI server mode crashes). (Dmitry)
- Fixed bug #38458, PECL bug #8944, PECL bug #7775 (error retrieving
columns after long/text columns with PDO_ODBC). (Wez)
- Fixed PECL bug #8816 (issue in php_oci_statement_fetch with more than one
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
