Fix #66479: Wrong response to FCGI_GET_VALUES

Requesting Get-Values via FCGI caused an "endless" loop over the last requested parameter and ended with an invalid response. this patch solves this loop bug.

Conflicts:
	sapi/cgi/fastcgi.c

NEWS

@@ -3,10 +3,10 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 5.5.22
 
 - Core:
-  . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
-    buffer overflow). (Stas)
   . Fixed bug #67068 (getClosure returns somethings that's not a closure). 
     (Danack at basereality dot com)
+  . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
+    buffer overflow). (Stas)
 
 - Date:
   . Fixed bug #45081 (strtotime incorrectly interprets SGT time zone). (Derick)
@@ -20,6 +20,7 @@ PHP                                                                        NEWS
   . Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers)
 
 - FPM:
+  . Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle)
   . Fixed bug #68571 (core dump when webserver close the socket).
     (redfoxli069 at gmail dot com, Laruence)
 

sapi/cgi/fastcgi.c

@@ -998,6 +998,7 @@ static int fcgi_read_request(fcgi_request *req)
 		q = req->env.list;
 		while (q != NULL) {
 			if (zend_hash_find(&fcgi_mgmt_vars, q->var, q->var_len, (void**) &value) != SUCCESS) {
+				q = q->list_next;
 				continue;
 			}
 			zlen = Z_STRLEN_PP(value);
@@ -1024,6 +1025,7 @@ static int fcgi_read_request(fcgi_request *req)
 			p += q->var_len;
 			memcpy(p, Z_STRVAL_PP(value), zlen);
 			p += zlen;
+			q = q->list_next;
 		}
 		len = p - buf - sizeof(fcgi_header);
 		len += fcgi_make_header((fcgi_header*)buf, FCGI_GET_VALUES_RESULT, 0, len);