| author | Craig Mohrman <craig.mohrman@oracle.com> |
| Tue, 16 Jun 2015 14:11:47 -0700 | |
| changeset 4494 | f5b717124172 |
| permissions | -rw-r--r-- |
|
4494
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2015-2331 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
2 |
Community BUG: |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
3 |
https://bugs.php.net/bug.php?id=69253 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
4 |
Community CODE: |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
5 |
http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
6 |
Below is the community patch. |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
7 |
|
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
8 |
|
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
9 |
From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
10 |
From: Stanislav Malyshev <[email protected]> |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
11 |
Date: Tue, 17 Mar 2015 21:59:56 -0700 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
12 |
Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
13 |
heap boundary |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
14 |
|
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
15 |
--- |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
16 |
NEWS | 4 ++++ |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
17 |
ext/zip/lib/zip_dirent.c | 2 +- |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
18 |
2 files changed, 5 insertions(+), 1 deletion(-) |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
19 |
|
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
20 |
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
21 |
index b9dac5c..0090801 100644 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
22 |
--- a/ext/zip/lib/zip_dirent.c |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
23 |
+++ b/ext/zip/lib/zip_dirent.c |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
24 |
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
25 |
return NULL; |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
26 |
} |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
27 |
|
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
28 |
- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
29 |
+ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
30 |
== NULL) {
|
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
31 |
_zip_error_set(error, ZIP_ER_MEMORY, 0); |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
32 |
free(cd); |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
33 |
-- |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
34 |
2.1.4 |
|
f5b717124172
20192108 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
35 |