Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary

smalyshev · smalyshev · commit ef8fc4b53d92 · 2015-03-17T21:59:56.000-07:00
diff --git a/NEWS b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
   . Fixed bug #69085 (SoapClient's __call() type confusion through
     unserialize()). (Dmitry)
 
+- ZIP:
+  . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
+    boundary). (Stas)
+
 19 Feb 2015 PHP 5.4.38
 
 - Core:
diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
 	return NULL;
     }
 
-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
 	== NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)`
`101`	`101`	`return NULL;`
`102`	`102`	`}`
`103`	`103`
`104`		`- if ((cd->entry=(struct zip_dirent )malloc(sizeof((cd->entry))*nentry))`
	`104`	`+ if ( nentry > ((size_t)-1)/sizeof((cd->entry)) \|\| (cd->entry=(struct zip_dirent )malloc(sizeof((cd->entry))(size_t)nentry))`
`105`	`105`	`== NULL) {`
`106`	`106`	`_zip_error_set(error, ZIP_ER_MEMORY, 0);`
`107`	`107`	`free(cd);`