Fix bug #75981: prevent reading beyond buffer start

php · Feb 27, 2018 · 7cf491b · 7cf491b
1 parent 8354a83
commit 7cf491b
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
@@ -718,9 +718,9 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 								tmp_line, response_code);
 				}
 			}
-			if (tmp_line[tmp_line_len - 1] == '\n') {
+			if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
 				--tmp_line_len;
-				if (tmp_line[tmp_line_len - 1] == '\r') {
+				if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
 					--tmp_line_len;
 				}
 			}

diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #75981 (stack-buffer-overflow while parsing HTTP response)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
+--FILE--
+<?php
+require 'server.inc';
+
+$options = [
+  'http' => [
+    'protocol_version' => '1.1',
+    'header' => 'Connection: Close'
+  ],
+];
+
+$ctx = stream_context_create($options);
+
+$responses = [
+	"data://text/plain,000000000100\xA\xA"
+];
+$pid = http_server('tcp://127.0.0.1:12342', $responses);
+
+echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
+
+http_server_kill($pid);
+
+?>
+DONE
+--EXPECT--
+DONE