added back

[bugBotter]

No description provided.

[cursor]

Bug: Request URI Buffer Overflow Due to Assertion Error

In the php_cli_server_client_read_request_on_url function, a copy-paste error causes the assertion to check client->request.query_string_len instead of client->request.request_uri_len when extending the request URI buffer. This leads to incorrect buffer overflow protection for the request URI.

sapi/cli/php_cli_server.c#L1648-L1649

php-src_test_2/sapi/cli/php_cli_server.c

Lines 1648 to 1649 in 2276975

	ZEND_ASSERT(client->request.request_method == parser->method);
	ZEND_ASSERT(length <= PHP_HTTP_MAX_HEADER_SIZE && PHP_HTTP_MAX_HEADER_SIZE - length >= client->request.query_string_len);

Fix in Cursor

---

Bug: Binary Search Infinite Loop Bug

The binary search implementation in get_template_string() can cause an infinite loop. This occurs when the lower bound s equals e-1 (the upper bound minus one), and the calculation for c results in c = s. If the condition d < code is true, s is then set to c, which means s does not advance, preventing the loop from terminating.

sapi/cli/php_cli_server.c#L311-L329

php-src_test_2/sapi/cli/php_cli_server.c

Lines 311 to 329 in 2276975

	static const char *get_template_string(int code) /* {{{ */
	{
	size_t e = (sizeof(template_map) / sizeof(php_cli_server_http_response_status_code_pair));
	size_t s = 0;
	while (e != s) {
	size_t c = MIN((e + s + 1) / 2, e - 1);
	int d = template_map[c].code;
	if (d > code) {
	e = c;
	} else if (d < code) {
	s = c;
	} else {
	return template_map[c].str;
	}
	}
	return NULL;
	} /* }}} */

Fix in Cursor

---

BugBot free trial expires on July 22, 2025
You have used $0.00 of your $50.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎