From 761c62267f6099af9c43a68af6156030a6c7a1af Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 30 Nov 2010 11:04:06 +0000 Subject: [PATCH] Fixed crash in zip extract method (possible CWE-170) --- NEWS | 2 ++ ext/zip/php_zip.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 5eef9f2958..2b136343d9 100644 --- a/NEWS +++ b/NEWS @@ -49,6 +49,8 @@ - Upgraded bundled PCRE to version 8.10. (Ilia) - Security enhancements: + . Fixed crash in zip extract method (possible CWE-170). + (Maksymilian Arciemowicz, Pierre) . Paths with NULL in them (foo\0bar.txt) are now considered as invalid. (Rasmus) . Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). (Ilia) diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 5c291381c5..1b42c94457 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -162,6 +162,9 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int fil */ virtual_file_ex(&new_state, file, NULL, CWD_EXPAND); path_cleaned = php_zip_make_relative_path(new_state.cwd, new_state.cwd_length); + if(!path_cleaned) { + return 0; + } path_cleaned_len = strlen(path_cleaned); if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) { -- 2.40.0