From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 20 Feb 2018 15:34:43 -0800 Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start --- ext/standard/http_fopen_wrapper.c | 4 ++-- ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 ext/standard/tests/http/bug75981.phpt diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index ed6adc0..78bd935 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -737,9 +737,9 @@ finish: tmp_line, response_code); } } - if (tmp_line[tmp_line_len - 1] == '\n') { + if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { --tmp_line_len; - if (tmp_line[tmp_line_len - 1] == '\r') { + if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { --tmp_line_len; } } diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt new file mode 100644 index 0000000..d415de6 --- /dev/null +++ b/ext/standard/tests/http/bug75981.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #75981 (stack-buffer-overflow while parsing HTTP response) +--INI-- +allow_url_fopen=1 +--SKIPIF-- + +--FILE-- + [ + 'protocol_version' => '1.1', + 'header' => 'Connection: Close' + ], +]; + +$ctx = stream_context_create($options); + +$responses = [ + "data://text/plain,000000000100\xA\xA" +]; +$pid = http_server('tcp://127.0.0.1:12342', $responses); + +echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); + +http_server_kill($pid); + +?> +DONE +--EXPECT-- +DONE -- 2.1.4