diff options
author | Anatol Belski <ab@php.net> | 2017-10-27 13:20:15 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2017-10-27 13:20:15 +0200 |
commit | 10dc1950f734e41ae001f295b12b54114e247c5e (patch) | |
tree | 5328804908b02dc6e64eb168937a88ba1b59f01e | |
parent | f0a42d9fe4990293829ba9c9a9685cdba585297b (diff) | |
download | php-git-10dc1950f734e41ae001f295b12b54114e247c5e.tar.gz |
Apply upstream patch for CVE-2017-14107
-rw-r--r-- | ext/zip/lib/zip_open.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/zip/lib/zip_open.c b/ext/zip/lib/zip_open.c index d6209ee1e7..29409b747d 100644 --- a/ext/zip/lib/zip_open.c +++ b/ext/zip/lib/zip_open.c @@ -837,7 +837,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse zip_error_set(error, ZIP_ER_SEEK, EFBIG); return NULL; } - if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { + if (offset+size > buf_offset + eocd_offset) { + /* cdir spans past EOCD record */ + zip_error_set(error, ZIP_ER_INCONS, 0); + return NULL; + } + if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { zip_error_set(error, ZIP_ER_INCONS, 0); return NULL; } |