Skip to content

Commit

Permalink
Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boun…
Browse files Browse the repository at this point in the history 
…dary
  • Loading branch information
@smalyshev
smalyshev committed Mar 18, 2015
1 parent fb04dcf commit ef8fc4b
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 4 additions & 0 deletions NEWS
View file
Expand Up @@ -15,6 +15,10 @@ PHP NEWS
. Fixed bug #69085 (SoapClient's __call() type confusion through
unserialize()). (Dmitry)

- ZIP:
. Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
boundary). (Stas)

19 Feb 2015 PHP 5.4.38

- Core:
Expand Down
2 changes: 1 addition & 1 deletion ext/zip/lib/zip_dirent.c
View file
Expand Up @@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
return NULL;
}

if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
== NULL) {
_zip_error_set(error, ZIP_ER_MEMORY, 0);
free(cd);
Expand Down

0 comments on commit ef8fc4b

Please sign in to comment.