diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-03-17 21:59:56 -0700 |
|---|---|---|
| committer | Ferenc Kovacs <tyrael@php.net> | 2015-03-19 00:51:10 +0100 |
| commit | ec779124cb7279493ce1ca1088d1aaa32e82479a (patch) | |
| tree | b5ca7a001fe90503d079581e181ebe0dc83d1678 | |
| parent | 5fd617f2f5afa3a687969e7844864e027f97d964 (diff) | |
| download | php-git-ec779124cb7279493ce1ca1088d1aaa32e82479a.tar.gz | |
Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
| -rw-r--r-- | ext/zip/lib/zip_dirent.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c index 38e7ece9af..5b8da735c6 100644 --- a/ext/zip/lib/zip_dirent.c +++ b/ext/zip/lib/zip_dirent.c @@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struct zip_error *error) if (nentry == 0) cd->entry = NULL; - else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { + else if (nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { _zip_error_set(error, ZIP_ER_MEMORY, 0); free(cd); return NULL; |