Description:
------------
when uploading a file, in the post form, there's a hidden zone: <input type="hidden" name="MAX_FILE_SIZE" value="100">.
The value of "MAX_FILE_SIZE" equals 10(bytes) here, it doesn't work.

actually, whenever if MAX_FILE_SIZE is setted to be less than 1024*5, it doesn't works. the file will be uploaded and stored without error.

What does 1024*5 mean? it's size of buffer to get file data from multi-part body (FILLUNIT).

The mistake comes from here: 
in main/rfc1867.c, 
function "SAPI_POST_HANDLER_FUNC"
it compares how many bytes have read (total_bytes) to "MAX_FILE_SIZE" after reading again but before increasing total_bytes.


Reproduce code:
---------------
			while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff) TSRMLS_CC)))
			{
//>> UP TO 1025*5 BYTES HAS BEEN READ
				if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
#if DEBUG_FILE_UPLOAD
					sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
#endif
					cancel_upload = UPLOAD_ERROR_A;
				} else if (max_file_size && (total_bytes > max_file_size)) {
//>> COMPARE total_bytes TO max_file_size BEFORE INCREASING total_bytes 
#if DEBUG_FILE_UPLOAD
					sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
#endif
					cancel_upload = UPLOAD_ERROR_B;
				} else if (blen > 0) {
					wlen = write(fd, buff, blen);
			
					if (wlen < blen) {
#if DEBUG_FILE_UPLOAD
						sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
#endif
						cancel_upload = UPLOAD_ERROR_C;
					} else {
//>> CHANGE total_bytes HERE, IT'S TOO LATE
						total_bytes += wlen;
					}
				} 
			}
			if (fd!=-1) { /* may not be initialized if file could not be created */
				close(fd);
			}