Skip to content

Instantly share code, notes, and snippets.

@smalyshev
Last active Apr 20, 2016
Embed
What would you like to do?
commit 7dfb5076ad4bce2382d5c2eb31d8b103466f65db
Author: Stanislav Malyshev <stas@php.net>
Date: Tue Apr 19 23:49:22 2016 -0700
Fix bug #71923 - integer overflow in ZipArchive::getFrom*
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index db201af..7c9adf4 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -1281,7 +1281,7 @@ static PHP_NAMED_FUNCTION(zif_zip_entry_read)
}
if (zr_rsrc->zf) {
- buffer = zend_string_alloc(len, 0);
+ buffer = zend_string_safe_alloc(1, len, 0, 0);
n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer));
if (n > 0) {
ZSTR_VAL(buffer)[n] = '\0';
@@ -2728,7 +2728,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
RETURN_FALSE;
}
- buffer = zend_string_alloc(len, 0);
+ buffer = zend_string_safe_alloc(1, len, 0, 0);
n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer));
if (n < 1) {
zend_string_free(buffer);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment