Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary

author: Stanislav Malyshev <stas@php.net> 2015-03-17 21:59:56 -0700
committer: Julien Pauli <jpauli@php.net> 2015-03-18 10:39:34 +0100
commit: 4a8d8b4154334b1714e19b82b061201d41dc87d6 (patch)
tree: a2134c5fdf663eaff7d2cd6f3345613f6167517a
parent: 94e7638d9a04ebb82433147ef65e70a85d988074 (diff)
download: php-git-4a8d8b4154334b1714e19b82b061201d41dc87d6.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index b9dac5c989..0090801af2 100644
--- a/ext/zip/lib/zip_dirent.c
+++ b/ext/zip/lib/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
 	return NULL;
     }
 
-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
 	== NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);
author	Stanislav Malyshev <stas@php.net>	2015-03-17 21:59:56 -0700
committer	Julien Pauli <jpauli@php.net>	2015-03-18 10:39:34 +0100
commit	4a8d8b4154334b1714e19b82b061201d41dc87d6 (patch)
tree	a2134c5fdf663eaff7d2cd6f3345613f6167517a
parent	94e7638d9a04ebb82433147ef65e70a85d988074 (diff)
download	php-git-4a8d8b4154334b1714e19b82b061201d41dc87d6.tar.gz