[Pkg-php-commits] [php/debian-squeeze] Fix _zip_name_locate function in zip_name_locate.c (CVE-2011-0421)

[Ondřej Surý]

---
 debian/patches/CVE-2011-0421.patch |   35 +++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 36 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2011-0421.patch

diff --git a/debian/patches/CVE-2011-0421.patch b/debian/patches/CVE-2011-0421.patch
new file mode 100644
index 0000000..ab03267
--- /dev/null
+++ b/debian/patches/CVE-2011-0421.patch
@@ -0,0 +1,35 @@
+--- a/ext/zip/lib/zip_name_locate.c
++++ b/ext/zip/lib/zip_name_locate.c
+@@ -60,6 +60,10 @@ _zip_name_locate(struct zip *za, const c
+ 	return -1;
+     }
+ 
++    if((flags & ZIP_FL_UNCHANGED)  && !za->cdir) {
++    	return -1;
++    }
++
+     cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;
+ 
+     n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
+--- /dev/null
++++ b/ext/zip/tests/bug53885.phpt
+@@ -0,0 +1,19 @@
++--TEST--
++Bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive)
++--SKIPIF--
++<?php
++if(!extension_loaded('zip')) die('skip');
++?>
++--FILE--
++<?php
++$fname = dirname(__FILE__)."/test53885.zip";
++if(file_exists($fname)) unlink($fname);
++touch($fname);
++$nx=new ZipArchive();
++$nx->open($fname);
++$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);
++$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);
++?>
++==DONE==
++--EXPECTF--
++==DONE==
diff --git a/debian/patches/series b/debian/patches/series
index 15567d6..f2f3713 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -89,3 +89,4 @@ fix-segfault-when-extending-SplFixedArray.patch
 fix-segfault-when-node-is-NULL-in-simplexml.patch
 fix-segfault-when-using-several-cloned-intl-objects.patch
 fix-sqlite3-columnName-segfaults-on-bad-column_number.patch
+CVE-2011-0421.patch
-- 
1.7.1