Fixed a possible crash when PATH_INFO is not provided but the path contains

path info information

2 files changed, 38 insertions, 6 deletions

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index b59a3994aa..4f28378e6a 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -825,8 +825,8 @@ static void init_request_info(TSRMLS_D)
 						 * out what SCRIPT_NAME should be
 						 */
 						int slen = len - strlen(pt);
-						int pilen = strlen(env_path_info);
-						char *path_info = env_path_info + pilen - slen;
+						int pilen = env_path_info ? strlen(env_path_info) : 0;
+						char *path_info = env_path_info ? env_path_info + pilen - slen : NULL;
 
 						if (orig_path_info != path_info) {
 							if (orig_path_info) {
@@ -866,10 +866,12 @@ static void init_request_info(TSRMLS_D)
 							env_script_name = pt + l;
 
 							/* PATH_TRANSATED = DOCUMENT_ROOT + PATH_INFO */
-							path_translated_len = l + strlen(env_path_info);
+							path_translated_len = l + (env_path_info ? strlen(env_path_info) : 0);
 							path_translated = (char *) emalloc(path_translated_len + 1);
 							memcpy(path_translated, env_document_root, l);
-							memcpy(path_translated + l, env_path_info, (path_translated_len - l));
+							if (env_path_info) {
+								memcpy(path_translated + l, env_path_info, (path_translated_len - l));
+							}
 							path_translated[path_translated_len] = '\0';
 							if (orig_path_translated) {
 								_sapi_cgibin_putenv("ORIG_PATH_TRANSLATED", orig_path_translated TSRMLS_CC);
@@ -881,12 +883,14 @@ static void init_request_info(TSRMLS_D)
 						) {
 							/* PATH_TRANSATED = PATH_TRANSATED - SCRIPT_NAME + PATH_INFO */
 							int ptlen = strlen(pt) - strlen(env_script_name);
-							int path_translated_len = ptlen + strlen(env_path_info);
+							int path_translated_len = ptlen + env_path_info ? strlen(env_path_info) : 0;
 							char *path_translated = NULL;
 
 							path_translated = (char *) emalloc(path_translated_len + 1);
 							memcpy(path_translated, pt, ptlen);
-							memcpy(path_translated + ptlen, env_path_info, path_translated_len - ptlen);
+							if (env_path_info) {
+								memcpy(path_translated + ptlen, env_path_info, path_translated_len - ptlen);
+							}
 							path_translated[path_translated_len] = '\0';
 							if (orig_path_translated) {
 								_sapi_cgibin_putenv("ORIG_PATH_TRANSLATED", orig_path_translated TSRMLS_CC);
diff --git a/sapi/cgi/tests/009.phpt b/sapi/cgi/tests/009.phpt
new file mode 100644
index 0000000000..c92fc87a83
--- /dev/null
+++ b/sapi/cgi/tests/009.phpt
@@ -0,0 +1,28 @@
+--TEST--
+path info request without exported PATH_INFO
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+include "include.inc";
+
+$php = get_cgi_path();
+reset_env_vars();
+
+$f = tempnam(sys_get_temp_dir(), 'cgitest');
+
+putenv("TRANSLATED_PATH=".$f."/x");
+putenv("SCRIPT_FILENAME=".$f."/x");
+file_put_contents($f, '<?php var_dump($_SERVER["TRANSLATED_PATH"]); ');
+
+echo (`$php $f`);
+
+echo "Done\n";
+?>
+--EXPECTF--
+X-Powered-By: PHP/%s
+Content-type: text/html
+
+string(%d) "%s/x"
+Done