diff options
| author | Stanislav Malyshev <stas@php.net> | 2018-02-20 15:34:43 -0800 |
|---|---|---|
| committer | Sara Golemon <pollita@php.net> | 2018-02-27 11:06:34 -0500 |
| commit | 7cf491b661ee57a11b79f99416c6296bae2f27a0 (patch) | |
| tree | e47f5d11af9a2d4150ffff470eaa1af31943fb94 | |
| parent | 8354a831031167c715898a8af09a2a743784ab6b (diff) | |
| download | php-git-7cf491b661ee57a11b79f99416c6296bae2f27a0.tar.gz | |
Fix bug #75981: prevent reading beyond buffer start
| -rw-r--r-- | ext/standard/http_fopen_wrapper.c | 4 | ||||
| -rw-r--r-- | ext/standard/tests/http/bug75981.phpt | 32 |
2 files changed, 34 insertions, 2 deletions
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index f6b0368d4e..75d21c0761 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -718,9 +718,9 @@ finish: tmp_line, response_code); } } - if (tmp_line[tmp_line_len - 1] == '\n') { + if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { --tmp_line_len; - if (tmp_line[tmp_line_len - 1] == '\r') { + if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { --tmp_line_len; } } diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt new file mode 100644 index 0000000000..d415de66b9 --- /dev/null +++ b/ext/standard/tests/http/bug75981.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #75981 (stack-buffer-overflow while parsing HTTP response) +--INI-- +allow_url_fopen=1 +--SKIPIF-- +<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?> +--FILE-- +<?php +require 'server.inc'; + +$options = [ + 'http' => [ + 'protocol_version' => '1.1', + 'header' => 'Connection: Close' + ], +]; + +$ctx = stream_context_create($options); + +$responses = [ + "data://text/plain,000000000100\xA\xA" +]; +$pid = http_server('tcp://127.0.0.1:12342', $responses); + +echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); + +http_server_kill($pid); + +?> +DONE +--EXPECT-- +DONE |