Fix bug #71923 - integer overflow in ZipArchive::getFrom*

author: Stanislav Malyshev <stas@php.net> 2016-04-19 23:49:22 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-04-26 22:59:09 -0700
commit: ccc12efa32f855e6057cb9b7e1e45afe08503a00 (patch)
tree: a7de2646c2c5d882af61ab7c1b9c797379ef20e3 /ext/zip/php_zip.c
parent: c89b7a48606468107adb4a83d5d39bfc6cda1d5f (diff)
download: php-git-ccc12efa32f855e6057cb9b7e1e45afe08503a00.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index db201af634..7c9adf4af7 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -1281,7 +1281,7 @@ static PHP_NAMED_FUNCTION(zif_zip_entry_read)
 	}
 
 	if (zr_rsrc->zf) {
-		buffer = zend_string_alloc(len, 0);
+		buffer = zend_string_safe_alloc(1, len, 0, 0);
 		n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer));
 		if (n > 0) {
 			ZSTR_VAL(buffer)[n] = '\0';
@@ -2728,7 +2728,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
 		RETURN_FALSE;
 	}
 
-	buffer = zend_string_alloc(len, 0);
+	buffer = zend_string_safe_alloc(1, len, 0, 0);
 	n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer));
 	if (n < 1) {
 		zend_string_free(buffer);
author	Stanislav Malyshev <stas@php.net>	2016-04-19 23:49:22 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-04-26 22:59:09 -0700
commit	ccc12efa32f855e6057cb9b7e1e45afe08503a00 (patch)
tree	a7de2646c2c5d882af61ab7c1b9c797379ef20e3 /ext/zip/php_zip.c
parent	c89b7a48606468107adb4a83d5d39bfc6cda1d5f (diff)
download	php-git-ccc12efa32f855e6057cb9b7e1e45afe08503a00.tar.gz