diff options
author | Stanislav Malyshev <stas@php.net> | 2016-04-19 23:49:22 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-04-27 17:51:54 +0200 |
commit | 3b8d4de300854b3517c7acb239b84f7726c1353c (patch) | |
tree | 02b10706f09111c8d0b57638b7017b68e91008f5 | |
parent | 7133f28df57cef51076d5045b006c5c75c664728 (diff) | |
download | php-git-3b8d4de300854b3517c7acb239b84f7726c1353c.tar.gz |
Fix bug #71923 - integer overflow in ZipArchive::getFrom*
-rw-r--r-- | ext/zip/php_zip.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index db201af634..7c9adf4af7 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -1281,7 +1281,7 @@ static PHP_NAMED_FUNCTION(zif_zip_entry_read) } if (zr_rsrc->zf) { - buffer = zend_string_alloc(len, 0); + buffer = zend_string_safe_alloc(1, len, 0, 0); n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); if (n > 0) { ZSTR_VAL(buffer)[n] = '\0'; @@ -2728,7 +2728,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ RETURN_FALSE; } - buffer = zend_string_alloc(len, 0); + buffer = zend_string_safe_alloc(1, len, 0, 0); n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); if (n < 1) { zend_string_free(buffer); |