From af6607e207005b4757f7679d34f060b674da08c6 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sat, 12 Oct 2019 15:56:16 +0100
Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE)
 (CVE-2019-11043)

cheery-picked from ab061f95ca966731b1c84cf5b7b20155c0a1c06a
without the test as tester not available
---
 sapi/fpm/fpm/fpm_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index d12ac018..22b889c1 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -1245,8 +1245,8 @@ static void init_request_info(TSRMLS_D)
 								path_info = script_path_translated + ptlen;
 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
 							} else {
-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
-								tflag = (orig_path_info != path_info);
+								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
+								tflag = path_info && (orig_path_info != path_info);
 							}
 
 							if (tflag) {