From 4343cb1696fbc1f1520657ad6cb7c18113ceaca3 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sat, 12 Oct 2019 15:56:16 +0100 Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043) --- sapi/fpm/fpm/fpm_main.c | 4 +- 4 files changed, 75 insertions(+), 5 deletions(-) create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index 24a7e5d56a..50f92981f1 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -1209,8 +1209,8 @@ static void init_request_info(void) path_info = script_path_translated + ptlen; tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); } else { - path_info = env_path_info ? env_path_info + pilen - slen : NULL; - tflag = (orig_path_info != path_info); + path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; + tflag = path_info && (orig_path_info != path_info); } if (tflag) {