1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
Subject: Fixed bug #54681 (addGlob() crashes on invalid flags)
Origin: http://svn.php.net/viewvc/?view=revision&revision=310814
Fixed bug #54681 (addGlob() crashes on invalid flags)
CVE-2011-1657
[Ubuntu note: this patch has been slightly modified to apply to older
versions of php. - sbeattie]
---
ext/zip/php_zip.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -473,6 +473,28 @@ static char * php_zipobj_get_zip_comment
#define GLOB_FLAGMASK (~GLOB_ONLYDIR)
#else
#define GLOB_FLAGMASK (~0)
+#ifndef GLOB_BRACE
+# define GLOB_BRACE 0
+#endif
+#ifndef GLOB_MARK
+# define GLOB_MARK 0
+#endif
+#ifndef GLOB_NOSORT
+# define GLOB_NOSORT 0
+#endif
+#ifndef GLOB_NOCHECK
+# define GLOB_NOCHECK 0
+#endif
+#ifndef GLOB_NOESCAPE
+# define GLOB_NOESCAPE 0
+#endif
+#ifndef GLOB_ERR
+# define GLOB_ERR 0
+#endif
+
+/* This is used for checking validity of passed flags (passing invalid flags causes segfault in glob()!! */
+#define GLOB_AVAILABLE_FLAGS (0 | GLOB_BRACE | GLOB_MARK | GLOB_NOSORT | GLOB_NOCHECK | GLOB_NOESCAPE | GLOB_ERR | GLOB_ONLYDIR)
+
#endif /* }}} */
int php_zip_glob(char *pattern, int pattern_len, long flags, zval *return_value TSRMLS_DC) /* {{{ */
@@ -486,6 +508,16 @@ int php_zip_glob(char *pattern, int patt
glob_t globbuf;
int n;
int ret;
+
+ if (pattern_len >= MAXPATHLEN) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+ return -1;
+ }
+
+ if ((GLOB_AVAILABLE_FLAGS & flags) != flags) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform");
+ return -1;
+ }
#ifdef ZTS
if (!IS_ABSOLUTE_PATH(pattern, pattern_len)) {
|
