Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5:
  FIx bug #68618 (out of bounds read crashes php-cgi)
  Fixed bug #68676 (Explicit Double Free)

Author: smalyshev

NEWS

@@ -17,6 +17,9 @@
     constructor). (dunglas at gmail dot com)
   . Fixed bug #68676 (Explicit Double Free). (Kalle)
 
+- CGI:
+  . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
+
 - cURL:
   . Fixed bug #67643 (curl_multi_getcontent returns '' when
     CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)

sapi/cgi/cgi_main.c

@@ -2437,14 +2437,17 @@ consult the installation file that came with this distribution, or visit \n\
 						    int i = 1;
 
 						    c = file_handle.handle.stream.mmap.buf[i++];
-							while (c != '\n' && c != '\r' && c != EOF) {
+							while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) {
 								c = file_handle.handle.stream.mmap.buf[i++];
 							}
 							if (c == '\r') {
-								if (file_handle.handle.stream.mmap.buf[i] == '\n') {
+								if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') {
 									i++;
 								}
 							}
+							if(i > file_handle.handle.stream.mmap.len) {
+								i = file_handle.handle.stream.mmap.len;
+							}
 							file_handle.handle.stream.mmap.buf += i;
 							file_handle.handle.stream.mmap.len -= i;
 						}