Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary

author: Stanislav Malyshev <stas@php.net> 2015-03-17 21:59:56 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-03-17 21:59:56 -0700
commit: ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 (patch)
tree: 7b306530ab0bcc179be89d79fe9144948f21837e
parent: fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 (diff)
download: php-git-ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5.tar.gz
2 files changed, 5 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 06857ccf01..0ce25d00f6 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
   . Fixed bug #69085 (SoapClient's __call() type confusion through
     unserialize()). (Dmitry)
 
+- ZIP:
+  . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
+    boundary). (Stas)
+
 19 Feb 2015 PHP 5.4.38
 
 - Core:
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index b9dac5c989..0090801af2 100644
--- a/ext/zip/lib/zip_dirent.c
+++ b/ext/zip/lib/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
 	return NULL;
     }
 
-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
 	== NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);
author	Stanislav Malyshev <stas@php.net>	2015-03-17 21:59:56 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-03-17 21:59:56 -0700
commit	ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 (patch)
tree	7b306530ab0bcc179be89d79fe9144948f21837e
parent	fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 (diff)
download	php-git-ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5.tar.gz