diff options
| author | Anatol Belski <ab@php.net> | 2017-10-27 13:16:56 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2017-10-27 13:16:56 +0200 |
| commit | f6e8ce812174343b5c9fd1860f9e2e2864428567 (patch) | |
| tree | 77b51c855a2c9bb207ab46d1130fe0ddb4de83fb /ext | |
| parent | f600785f6537babd23da5f40545afe2bbf80f3b7 (diff) | |
| download | php-git-f6e8ce812174343b5c9fd1860f9e2e2864428567.tar.gz | |
Backport and apply upstream patch for CVE-2017-14107
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/zip/lib/zip_open.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/zip/lib/zip_open.c b/ext/zip/lib/zip_open.c index d91fe469db..3616cc5448 100644 --- a/ext/zip/lib/zip_open.c +++ b/ext/zip/lib/zip_open.c @@ -726,7 +726,12 @@ _zip_read_eocd64(FILE *f, const zip_uint8_t *eocd64loc, const zip_uint8_t *buf, _zip_error_set(error, ZIP_ER_SEEK, EFBIG); return NULL; } - if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { + if (offset+size > buf_offset + eocd_offset) { + /* cdir spans past EOCD record */ + _zip_error_set(error, ZIP_ER_INCONS, 0); + return NULL; + } + if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { _zip_error_set(error, ZIP_ER_INCONS, 0); return NULL; } |