From ab061f95ca966731b1c84cf5b7b20155c0a1c06a Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sat, 12 Oct 2019 15:56:16 +0100
Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE)

CVE: CVE-2019-11043

Fixed in php version 7.3.11.

Upstream-Status: Backport [https://git.php.net/repository/php-src.git]

Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
 NEWS                                          |  4 +-
 sapi/fpm/fpm/fpm_main.c                       |  4 +-
 .../tests/bug78599-path-info-underflow.phpt   | 61 +++++++++++++++++++
 sapi/fpm/tests/tester.inc                     | 11 +++-
 4 files changed, 75 insertions(+), 5 deletions(-)
 create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt

diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index 24a7e5d56a..50f92981f1 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -1209,8 +1209,8 @@ static void init_request_info(void)
 								path_info = script_path_translated + ptlen;
 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
 							} else {
-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
-								tflag = (orig_path_info != path_info);
+								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
+								tflag = path_info && (orig_path_info != path_info);
 							}
 
 							if (tflag) {
-- 
2.17.1