diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-03-17 22:04:39 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-03-17 22:04:39 -0700 |
| commit | 1ecd82f58818fec41abbfae7fa0c15b6b7596a58 (patch) | |
| tree | 4f4a89a4d4748d9cf43ad530d096414806b133d9 | |
| parent | 205fe3ab8912e4ab289b8b50343949e7fd084d4e (diff) | |
| parent | 225cb973e5e8371b54d174c32f8685fcd2cf4098 (diff) | |
| download | php-git-1ecd82f58818fec41abbfae7fa0c15b6b7596a58.tar.gz | |
Merge branch 'PHP-5.6'
* PHP-5.6:
update NEWS
Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
oops, no idea how this got in
Fix bug #69248 - heap overflow vulnerability in regcomp.c
add test for bug #68976
add NEWS
Fixed bug #68976 - Use After Free Vulnerability in unserialize()
update news
Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options)
fix tests
Fix bug #69207 - move_uploaded_file allows nulls in path
Conflicts:
ext/ereg/regex/regcomp.c
ext/standard/basic_functions.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
win32/registry.c
| -rw-r--r-- | ext/zip/lib/zip_dirent.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c index 3383a12455..4009d93248 100644 --- a/ext/zip/lib/zip_dirent.c +++ b/ext/zip/lib/zip_dirent.c @@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struct zip_error *error) if (nentry == 0) cd->entry = NULL; - else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { + else if (nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { _zip_error_set(error, ZIP_ER_MEMORY, 0); free(cd); return NULL; |