Fixed bug #22805 (Reading of user input could stop prematurely).

sapi/apache2handler/sapi_apache2.c

@@ -149,32 +149,33 @@ php_apache_sapi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 static int
 php_apache_sapi_read_post(char *buf, uint count_bytes TSRMLS_DC)
 {
-	apr_size_t len;
+	apr_size_t len, tlen=0;
 	php_struct *ctx = SG(server_context);
 	request_rec *r;
 	apr_bucket_brigade *brigade;
-	apr_status_t rv;
 
 	r = ctx->r;
 	brigade = ctx->brigade;
 	len = count_bytes;
 
-	rv = ap_get_brigade(r->input_filters, brigade, AP_MODE_READBYTES,
-						APR_BLOCK_READ, len);
+	/*
+	 * This loop is needed because ap_get_brigade() can return us partial data
+	 * which would cause premature termination of request read. Therefor we
+	 * need to make sure that if data is avaliable we fill the buffer completely.
+	 */
 
-	if (rv == APR_SUCCESS) {
+	while (ap_get_brigade(r->input_filters, brigade, AP_MODE_READBYTES, APR_BLOCK_READ, len) == APR_SUCCESS) {
 		apr_brigade_flatten(brigade, buf, &len);
-	} else {
-		len = 0;
+		apr_brigade_cleanup(brigade);
+		tlen += len;
+		if (tlen == count_bytes || !len) {
+			break;
+		}
+		buf += len;
+		len = count_bytes - tlen;
 	}
 	
-	apr_brigade_cleanup(brigade);
-	
-	/* This is downcast is okay, because len is constrained by
-	 * count_bytes and we know ap_get_brigade won't return more
-	 * than that.
-	 */
-	return len;
+	return tlen;
 }
 
 static struct stat*