[Pkg-php-commits] [php/debian-squeeze] Fix _zip_name_locate function in zip_name_locate.c (CVE-2011-0421)
Ondřej Surý
ondrej at sury.org
Sat May 14 09:35:41 UTC 2011
---
debian/patches/CVE-2011-0421.patch | 35 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 36 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/CVE-2011-0421.patch
diff --git a/debian/patches/CVE-2011-0421.patch b/debian/patches/CVE-2011-0421.patch
new file mode 100644
index 0000000..ab03267
--- /dev/null
+++ b/debian/patches/CVE-2011-0421.patch
@@ -0,0 +1,35 @@
+--- a/ext/zip/lib/zip_name_locate.c
++++ b/ext/zip/lib/zip_name_locate.c
+@@ -60,6 +60,10 @@ _zip_name_locate(struct zip *za, const c
+ return -1;
+ }
+
++ if((flags & ZIP_FL_UNCHANGED) && !za->cdir) {
++ return -1;
++ }
++
+ cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;
+
+ n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
+--- /dev/null
++++ b/ext/zip/tests/bug53885.phpt
+@@ -0,0 +1,19 @@
++--TEST--
++Bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive)
++--SKIPIF--
++<?php
++if(!extension_loaded('zip')) die('skip');
++?>
++--FILE--
++<?php
++$fname = dirname(__FILE__)."/test53885.zip";
++if(file_exists($fname)) unlink($fname);
++touch($fname);
++$nx=new ZipArchive();
++$nx->open($fname);
++$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);
++$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);
++?>
++==DONE==
++--EXPECTF--
++==DONE==
diff --git a/debian/patches/series b/debian/patches/series
index 15567d6..f2f3713 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -89,3 +89,4 @@ fix-segfault-when-extending-SplFixedArray.patch
fix-segfault-when-node-is-NULL-in-simplexml.patch
fix-segfault-when-using-several-cloned-intl-objects.patch
fix-sqlite3-columnName-segfaults-on-bad-column_number.patch
+CVE-2011-0421.patch
--
1.7.1
More information about the Pkg-php-commits
mailing list