20192108 problem in UTILITY/PHP
20231115 problem in UTILITY/PHP
20936509 problem in UTILITY/PHP
20804024 problem in UTILITY/PHP
20804061 problem in UTILITY/PHP
20804135 problem in UTILITY/PHP
20804363 problem in UTILITY/PHP
20804424 problem in UTILITY/PHP
20433657 problem in UTILITY/PHP
20803998 problem in UTILITY/PHP
20804391 problem in UTILITY/PHP
CVE-2015-2331
Community BUG:
https://bugs.php.net/bug.php?id=69253
Community CODE:
http://git.php.net/?p=php-src.git;a=commit;h=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
Below is the community patch.
From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <[email protected]>
Date: Tue, 17 Mar 2015 21:59:56 -0700
Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past
heap boundary
---
NEWS | 4 ++++
ext/zip/lib/zip_dirent.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index b9dac5c..0090801 100644
--- a/ext/zip/lib/zip_dirent.c
+++ b/ext/zip/lib/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
return NULL;
}
- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
== NULL) {
_zip_error_set(error, ZIP_ER_MEMORY, 0);
free(cd);
--
2.1.4