From 7cf491b661ee57a11b79f99416c6296bae2f27a0 Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Tue, 20 Feb 2018 15:34:43 -0800

Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start

---

 ext/standard/http_fopen_wrapper.c     |  4 ++--

 ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++

 2 files changed, 34 insertions(+), 2 deletions(-)

 create mode 100644 ext/standard/tests/http/bug75981.phpt

diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c

index f6b0368..75d21c0 100644

--- a/ext/standard/http_fopen_wrapper.c

+++ b/ext/standard/http_fopen_wrapper.c

@@ -691,9 +691,9 @@ finish:

 								tmp_line, response_code);

 				}

 			}

-			if (tmp_line[tmp_line_len - 1] == '\n') {

+			if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {

 				--tmp_line_len;

-				if (tmp_line[tmp_line_len - 1] == '\r') {

+				if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {

 					--tmp_line_len;

 				}

 			}

diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt

new file mode 100644

index 0000000..d415de6

--- /dev/null

+++ b/ext/standard/tests/http/bug75981.phpt

@@ -0,0 +1,32 @@

+--TEST--

+Bug #75981 (stack-buffer-overflow while parsing HTTP response)

+--INI--

+allow_url_fopen=1

+--SKIPIF--

+

+--FILE--

+

+require 'server.inc';

+

+$options = [

+  'http' => [

+    'protocol_version' => '1.1',

+    'header' => 'Connection: Close'

+  ],

+];

+

+$ctx = stream_context_create($options);

+

+$responses = [

+	"data://text/plain,000000000100\xA\xA"

+];

+$pid = http_server('tcp://127.0.0.1:12342', $responses);

+

+echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);

+

+http_server_kill($pid);

+

+?>

+DONE

+--EXPECT--

+DONE

-- 

2.1.4