[Pkg-php-commits] [php/debian-squeeze] Fix for integer signedness error in zip_stream.c (CVE-2011-1471)

[Ondřej Surý]

---
 debian/patches/CVE-2011-1471.patch |   34 ++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 35 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2011-1471.patch

diff --git a/debian/patches/CVE-2011-1471.patch b/debian/patches/CVE-2011-1471.patch
new file mode 100644
index 0000000..0cbcf25
--- /dev/null
+++ b/debian/patches/CVE-2011-1471.patch
@@ -0,0 +1,34 @@
+--- a/ext/zip/zip_stream.c
++++ b/ext/zip/zip_stream.c
+@@ -30,11 +30,11 @@ struct php_zip_stream_data_t {
+ /* {{{ php_zip_ops_read */
+ static size_t php_zip_ops_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
+ {
+-	int n = 0;
++	ssize_t n = 0;
+ 	STREAM_DATA_FROM_STREAM();
+ 
+ 	if (self->za && self->zf) {
+-		n = (size_t)zip_fread(self->zf, buf, (int)count);
++		n = zip_fread(self->zf, buf, count);
+ 		if (n < 0) {
+ 			int ze, se;
+ 			zip_file_error_get(self->zf, &ze, &se);
+@@ -42,13 +42,15 @@ static size_t php_zip_ops_read(php_strea
+ 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf));
+ 			return 0;
+ 		}
+-		if (n == 0 || n < count) {
++		/* cast count to signed value to avoid possibly negative n
++		 * being cast to unsigned value */
++		if (n == 0 || n < (ssize_t)count) {
+ 			stream->eof = 1;
+ 		} else {
+ 			self->cursor += n;
+ 		}
+ 	}
+-	return (n < 1 ? 0 : n);
++	return (n < 1 ? 0 : (size_t)n);
+ }
+ /* }}} */
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 15eb5f2..d552732 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -91,3 +91,4 @@ fix-sqlite3-columnName-segfaults-on-bad-column_number.patch
 CVE-2011-0421.patch
 CVE-2011-1153.patch
 CVE-2011-0708.patch
+CVE-2011-1471.patch
-- 
1.7.1