Avoid possible buffer overflow.

author: Edin Kadribasic <edink@php.net> 2002-11-22 15:47:39 +0000
committer: Edin Kadribasic <edink@php.net> 2002-11-22 15:47:39 +0000
commit: 81711ba621b0aa6268d63b28cd94f6eaee1f6ff3 (patch)
tree: 3e81b8207d4bc52343ae481e66880c101cd9e2b6
parent: d33ff48608b72a8881689ee6303375343b9ace9d (diff)
download: php-git-81711ba621b0aa6268d63b28cd94f6eaee1f6ff3.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 119c7021dc..208fdc41a0 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -234,10 +234,11 @@ static void sapi_cgibin_flush(void *server_context)
 	}
 }
 
+#define SAPI_CGI_MAX_HEADER_LENGTH 1024
 
 static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 {
-	char buf[1024];
+	char buf[SAPI_CGI_MAX_HEADER_LENGTH];
 	sapi_header_struct *h;
 	zend_llist_position pos;
 	long rfc2616_headers = 0;
@@ -255,7 +256,13 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 		int len;
 		
 		if (rfc2616_headers) {
-			len = sprintf(buf, "%s\r\n", SG(sapi_headers).http_status_line);
+			len = snprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, 
+						   "%s\r\n", SG(sapi_headers).http_status_line);
+
+			if (len > SAPI_CGI_MAX_HEADER_LENGTH) {
+				len = SAPI_CGI_MAX_HEADER_LENGTH;
+			}
+
 		} else {
 			len = sprintf(buf, "Status: %d\r\n", SG(sapi_headers).http_response_code);
 		}
author	Edin Kadribasic <edink@php.net>	2002-11-22 15:47:39 +0000
committer	Edin Kadribasic <edink@php.net>	2002-11-22 15:47:39 +0000
commit	81711ba621b0aa6268d63b28cd94f6eaee1f6ff3 (patch)
tree	3e81b8207d4bc52343ae481e66880c101cd9e2b6
parent	d33ff48608b72a8881689ee6303375343b9ace9d (diff)
download	php-git-81711ba621b0aa6268d63b28cd94f6eaee1f6ff3.tar.gz