Merge branch 'PHP-5.6'

* PHP-5.6:
  FIx bug #68618 (out of bounds read crashes php-cgi)
  Fixed bug #68676 (Explicit Double Free)
  Fixed bug #68676 (Explicit Double Free)

Author: smalyshev

sapi/cgi/cgi_main.c

@@ -2414,14 +2414,17 @@ consult the installation file that came with this distribution, or visit \n\
 						    int i = 1;
 
 						    c = file_handle.handle.stream.mmap.buf[i++];
-							while (c != '\n' && c != '\r' && c != EOF) {
+							while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) {
 								c = file_handle.handle.stream.mmap.buf[i++];
 							}
 							if (c == '\r') {
-								if (file_handle.handle.stream.mmap.buf[i] == '\n') {
+								if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') {
 									i++;
 								}
 							}
+							if(i > file_handle.handle.stream.mmap.len) {
+								i = file_handle.handle.stream.mmap.len;
+							}
 							file_handle.handle.stream.mmap.buf += i;
 							file_handle.handle.stream.mmap.len -= i;
 						}