check length first, prevent out-of-bounds read

2024-11-24 10:24:11 +08:00 · 2016-02-03 14:48:38 +03:00 · 2016-02-03 14:48:38 +03:00 · 6f81e95c33
commit 6f81e95c33
parent 5154a48d37
1 changed files with 1 additions and 1 deletions
--- a/ext/session/session.c
+++ b/ext/session/session.c
@ -2942,7 +2942,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
 				if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
 					zval_dtor(&progress->sid);
 					ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
-				} else if (memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
+				} else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
 					smart_str_free(&progress->key);
 					smart_str_appends(&progress->key, PS(rfc1867_prefix));
 					smart_str_appendl(&progress->key, *data->value, value_len);