Posted by Hans Jerry Illikainen on May 03

Details
=======

An integer wrap may occur in PHP 7.x before version 7.0.6 when reading
zip files with the getFromIndex() and getFromName() methods of
ZipArchive, resulting in a heap overflow.

php-7.0.5/ext/zip/php_zip.c
,—-
| 2679 static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
| 2680 {
| ….
| 2684 struct zip_stat sb;
| ….
| 2689 zend_long len = 0;
| ….
| 2692 zend_string *buffer;
| ….
| 2702…