summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--NEWS4
-rw-r--r--ext/zip/lib/zip_dirent.c2
2 files changed, 5 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 06857ccf01..0ce25d00f6 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,10 @@ PHP NEWS
. Fixed bug #69085 (SoapClient's __call() type confusion through
unserialize()). (Dmitry)
+- ZIP:
+ . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
+ boundary). (Stas)
+
19 Feb 2015 PHP 5.4.38
- Core:
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index b9dac5c989..0090801af2 100644
--- a/ext/zip/lib/zip_dirent.c
+++ b/ext/zip/lib/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
return NULL;
}
- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
== NULL) {
_zip_error_set(error, ZIP_ER_MEMORY, 0);
free(cd);
View Lorry Controller Status