Skip to content

Commit 523f230

Browse files
committed
Fix bug #75981: prevent reading beyond buffer start
1 parent 1f4b057 commit 523f230

File tree

2 files changed

+34
-2
lines changed

2 files changed

+34
-2
lines changed

Diff for: ext/standard/http_fopen_wrapper.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -737,9 +737,9 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
737737
tmp_line, response_code);
738738
}
739739
}
740-
if (tmp_line[tmp_line_len - 1] == '\n') {
740+
if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
741741
--tmp_line_len;
742-
if (tmp_line[tmp_line_len - 1] == '\r') {
742+
if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
743743
--tmp_line_len;
744744
}
745745
}

Diff for: ext/standard/tests/http/bug75981.phpt

+32
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
--TEST--
2+
Bug #75981 (stack-buffer-overflow while parsing HTTP response)
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
7+
--FILE--
8+
<?php
9+
require 'server.inc';
10+
11+
$options = [
12+
'http' => [
13+
'protocol_version' => '1.1',
14+
'header' => 'Connection: Close'
15+
],
16+
];
17+
18+
$ctx = stream_context_create($options);
19+
20+
$responses = [
21+
"data://text/plain,000000000100\xA\xA"
22+
];
23+
$pid = http_server('tcp://127.0.0.1:12342', $responses);
24+
25+
echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
26+
27+
http_server_kill($pid);
28+
29+
?>
30+
DONE
31+
--EXPECT--
32+
DONE

0 commit comments

Comments
 (0)