Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043

) cheery-picked from ab061f9 without the test as tester not available
microsoft · Oct 22, 2019 · c69bcb2 · c69bcb2
1 parent b85766d
commit c69bcb2
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
@@ -1245,8 +1245,8 @@ static void init_request_info(TSRMLS_D)
 								path_info = script_path_translated + ptlen;
 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
 							} else {
-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
-								tflag = (orig_path_info != path_info);
+								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
+								tflag = path_info && (orig_path_info != path_info);
 							}
 
 							if (tflag) {