equal
deleted
inserted
replaced
1 CVE-2015-2331 |
|
2 Community BUG: |
|
3 https://bugs.php.net/bug.php?id=69253 |
|
4 Community CODE: |
|
5 http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 |
|
6 Below is the community patch. |
|
7 |
|
8 |
|
9 From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 |
|
10 From: Stanislav Malyshev <[email protected]> |
|
11 Date: Tue, 17 Mar 2015 21:59:56 -0700 |
|
12 Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past |
|
13 heap boundary |
|
14 |
|
15 --- |
|
16 NEWS | 4 ++++ |
|
17 ext/zip/lib/zip_dirent.c | 2 +- |
|
18 2 files changed, 5 insertions(+), 1 deletion(-) |
|
19 |
|
20 diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c |
|
21 index b9dac5c..0090801 100644 |
|
22 --- a/ext/zip/lib/zip_dirent.c |
|
23 +++ b/ext/zip/lib/zip_dirent.c |
|
24 @@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) |
|
25 return NULL; |
|
26 } |
|
27 |
|
28 - if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) |
|
29 + if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) |
|
30 == NULL) { |
|
31 _zip_error_set(error, ZIP_ER_MEMORY, 0); |
|
32 free(cd); |
|
33 -- |
|
34 2.1.4 |
|
35 |
|