kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/games/openlierox/files/patch-CVE-2015-2331
Jan Beich 4668ba1156 Backport CVE-2015-2331 fix to bundled libzip 
MFH:		2015Q3
Security:	264749ae-d565-11e4-b545-00269ee29e57
2015-09-20 09:22:44 +00:00

18 lines
760 B
Text
Raw Blame History

From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 17 Mar 2015 21:59:56 -0700
Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index b9dac5c..0090801 100644
--- libs/libzip/zip_dirent.c
+++ libs/libzip/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
return NULL;
}
- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
== NULL) {
_zip_error_set(error, ZIP_ER_MEMORY, 0);
free(cd);
Reference in a new issue View git blame Copy permalink