diff options
author | Stanislav Malyshev <stas@php.net> | 2015-03-17 21:59:56 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-03-17 21:59:56 -0700 |
commit | ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 (patch) | |
tree | 7b306530ab0bcc179be89d79fe9144948f21837e | |
parent | fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 (diff) | |
download | php-git-ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5.tar.gz |
Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/zip/lib/zip_dirent.c | 2 |
2 files changed, 5 insertions, 1 deletions
@@ -15,6 +15,10 @@ PHP NEWS . Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). (Dmitry) +- ZIP: + . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap + boundary). (Stas) + 19 Feb 2015 PHP 5.4.38 - Core: diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c index b9dac5c989..0090801af2 100644 --- a/ext/zip/lib/zip_dirent.c +++ b/ext/zip/lib/zip_dirent.c @@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) return NULL; } - if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) + if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { _zip_error_set(error, ZIP_ER_MEMORY, 0); free(cd); |