2 files changed, 16 insertions, 12 deletions

diff --git a/NEWS b/NEWS
index 67f8630ced..23f6bb2e23 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,8 @@ PHP                                                                        NEWS
   . Fixed bug #67839 (mysqli does not handle 4-byte floats correctly). (Keyur)
 
 - OpenSSL:
+  . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads).
+    (Daniel Lowrey)
   . Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
     (Daniel Lowrey)
 
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 1af8b12115..de9e9911c1 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1849,7 +1849,7 @@ static size_t php_openssl_sockop_read(php_stream *stream, char *buf, size_t coun
 		   to hang forever. To avoid this scenario we poll with a timeout before performing
 		   the actual read. If it times out we're finished.
 		*/
-		if (sock->is_blocked) {
+		if (sock->is_blocked && SSL_pending(sslsock->ssl_handle) == 0) {
 			php_openssl_stream_wait_for_data(sock);
 			if (sock->timeout_event) {
 				stream->eof = 1;
@@ -2176,17 +2176,19 @@ static int php_openssl_sockop_cast(php_stream *stream, int castas, void **ret TS
 
 		case PHP_STREAM_AS_FD_FOR_SELECT:
 			if (ret) {
-				if (sslsock->ssl_active) {
-					/* OpenSSL has an internal buffer which select() cannot see. If we don't
-					   fetch it into the stream's buffer, no activity will be reported on the
-					   stream even though there is data waiting to be read - but we only fetch
-					   the number of bytes OpenSSL has ready to give us since we weren't asked
-					   for any data at this stage. This is only likely to cause issues with
-					   non-blocking streams, but it's harmless to always do it. */
-					int bytes;
-					while ((bytes = SSL_pending(sslsock->ssl_handle)) > 0) {
-						php_stream_fill_read_buffer(stream, (size_t)bytes);
-					}
+				/* OpenSSL has an internal buffer which select() cannot see. If we don't
+				 * fetch it into the stream's buffer, no activity will be reported on the
+				 * stream even though there is data waiting to be read - but we only fetch
+				 * the lower of bytes OpenSSL has ready to give us or chunk_size since we
+				 * weren't asked for any data at this stage. This is only likely to cause
+				 * issues with non-blocking streams, but it's harmless to always do it. */
+				size_t pending;
+				if (stream->writepos == stream->readpos
+					&& sslsock->ssl_active
+					&& (pending = (size_t)SSL_pending(sslsock->ssl_handle)) > 0) {
+						php_stream_fill_read_buffer(stream, pending < stream->chunk_size
+							? pending
+							: stream->chunk_size);
 				}
 
 				*(php_socket_t *)ret = sslsock->s.socket;