Added checks for malformated FastCGI requests (Edgar Frank)

author: Dmitry Stogov <dmitry@php.net> 2011-01-19 08:38:25 +0000
committer: Dmitry Stogov <dmitry@php.net> 2011-01-19 08:38:25 +0000
commit: 068a78014f678f066ba6a6b6d864a7f49530057c (patch)
tree: 4bc91b2a7ff89e6043fe6e5ff9a483100bd77410 /sapi/cgi
parent: fdbc42611c9997fdcd875c21b17c74a5b0c57362 (diff)
download: php-git-068a78014f678f066ba6a6b6d864a7f49530057c.tar.gz
1 files changed, 15 insertions, 4 deletions
diff --git a/sapi/cgi/fastcgi.c b/sapi/cgi/fastcgi.c
index a5e4efa0fa..23fa043e3e 100644
--- a/sapi/cgi/fastcgi.c
+++ b/sapi/cgi/fastcgi.c
@@ -605,28 +605,39 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
 {
 	char buf[128];
 	char *tmp = buf;
-	int buf_size = sizeof(buf);
-	int name_len, val_len;
+	size_t buf_size = sizeof(buf);
+	unsigned int name_len, val_len;
 	char *s;
 	int ret = 1;
 
 	while (p < end) {
 		name_len = *p++;
 		if (name_len >= 128) {
+			if (p + 3 >= end) {
+				ret = 0;
+				break;
+			}
 			name_len = ((name_len & 0x7f) << 24);
 			name_len |= (*p++ << 16);
 			name_len |= (*p++ << 8);
 			name_len |= *p++;
 		}
+		if (p >= end) {
+			ret = 0;
+			break;
+		}
 		val_len = *p++;
 		if (val_len >= 128) {
+			if (p + 3 >= end) {
+				ret = 0;
+				break;
+			}
 			val_len = ((val_len & 0x7f) << 24);
 			val_len |= (*p++ << 16);
 			val_len |= (*p++ << 8);
 			val_len |= *p++;
 		}
-		if (name_len + val_len < 0 ||
-		    name_len + val_len > end - p) {
+		if (name_len + val_len > end - p) {
 			/* Malformated request */
 			ret = 0;
 			break;
author	Dmitry Stogov <dmitry@php.net>	2011-01-19 08:38:25 +0000
committer	Dmitry Stogov <dmitry@php.net>	2011-01-19 08:38:25 +0000
commit	068a78014f678f066ba6a6b6d864a7f49530057c (patch)
tree	4bc91b2a7ff89e6043fe6e5ff9a483100bd77410 /sapi/cgi
parent	fdbc42611c9997fdcd875c21b17c74a5b0c57362 (diff)
download	php-git-068a78014f678f066ba6a6b6d864a7f49530057c.tar.gz