1 files changed, 12 insertions, 9 deletions

diff --git a/ext/zip/lib/zip_add_entry.c b/ext/zip/lib/zip_add_entry.c
index 583efc4561..24dbdaf47c 100644
--- a/ext/zip/lib/zip_add_entry.c
+++ b/ext/zip/lib/zip_add_entry.c
@@ -1,6 +1,6 @@
 /*
   zip_add_entry.c -- create and init struct zip_entry
-  Copyright (C) 1999-2012 Dieter Baron and Thomas Klausner
+  Copyright (C) 1999-2014 Dieter Baron and Thomas Klausner
 
   This file is part of libzip, a library to manipulate ZIP archives.
   The authors can be contacted at <libzip@nih.at>
@@ -17,7 +17,7 @@
   3. The names of the authors may not be used to endorse or promote
      products derived from this software without specific prior
      written permission.
-
+ 
   THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS
   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -32,27 +32,30 @@
 */
 
 
-
 #include <stdlib.h>
 
 #include "zipint.h"
 
 
-
 /* NOTE: Signed due to -1 on error.  See zip_add.c for more details. */
 
 zip_int64_t
-_zip_add_entry(struct zip *za)
+_zip_add_entry(zip_t *za)
 {
     zip_uint64_t idx;
 
     if (za->nentry+1 >= za->nentry_alloc) {
-	struct zip_entry *rentries;
+	zip_entry_t *rentries;
 	zip_uint64_t nalloc = za->nentry_alloc + 16;
-        /* TODO check for overflow */
-	rentries = (struct zip_entry *)realloc(za->entry, sizeof(struct zip_entry) * (size_t)nalloc);
+	zip_uint64_t realloc_size = sizeof(struct zip_entry) * (size_t)nalloc;
+
+	if (sizeof(struct zip_entry) * (size_t)za->nentry_alloc > realloc_size) {
+	    zip_error_set(&za->error, ZIP_ER_MEMORY, 0);
+	    return -1;
+	}
+	rentries = (zip_entry_t *)realloc(za->entry, sizeof(struct zip_entry) * (size_t)nalloc);
 	if (!rentries) {
-	    _zip_error_set(&za->error, ZIP_ER_MEMORY, 0);
+	    zip_error_set(&za->error, ZIP_ER_MEMORY, 0);
 	    return -1;
 	}
 	za->entry = rentries;