summaryrefslogtreecommitdiff
path: root/ext/zip/lib/zip_dirent.c
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2015-03-17 22:02:57 -0700
committerStanislav Malyshev <stas@php.net>2015-03-17 22:03:24 -0700
commit225cb973e5e8371b54d174c32f8685fcd2cf4098 (patch)
tree08b6463063c5f129fd0967b95473c488979b6dd6 /ext/zip/lib/zip_dirent.c
parent749f82af02f4ed0570d5e3a4cf6a1a8f5e9b1514 (diff)
parent210cfafc2b3a1f72f520679b1b302abb8b1a14d0 (diff)
downloadphp-git-225cb973e5e8371b54d174c32f8685fcd2cf4098.tar.gz
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5: update NEWS Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary Conflicts: ext/zip/lib/zip_dirent.c
Diffstat (limited to 'ext/zip/lib/zip_dirent.c')
-rw-r--r--ext/zip/lib/zip_dirent.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index 38e7ece9af..5b8da735c6 100644
--- a/ext/zip/lib/zip_dirent.c
+++ b/ext/zip/lib/zip_dirent.c
@@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struct zip_error *error)
if (nentry == 0)
cd->entry = NULL;
- else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
+ else if (nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
_zip_error_set(error, ZIP_ER_MEMORY, 0);
free(cd);
return NULL;
View Lorry Controller Status