-
-
Save smalyshev/00d7a252a1a2a720fefdf34dcdda1103 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| commit 7dfb5076ad4bce2382d5c2eb31d8b103466f65db | |
| Author: Stanislav Malyshev <stas@php.net> | |
| Date: Tue Apr 19 23:49:22 2016 -0700 | |
| Fix bug #71923 - integer overflow in ZipArchive::getFrom* | |
| diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c | |
| index db201af..7c9adf4 100644 | |
| --- a/ext/zip/php_zip.c | |
| +++ b/ext/zip/php_zip.c | |
| @@ -1281,7 +1281,7 @@ static PHP_NAMED_FUNCTION(zif_zip_entry_read) | |
| } | |
| if (zr_rsrc->zf) { | |
| - buffer = zend_string_alloc(len, 0); | |
| + buffer = zend_string_safe_alloc(1, len, 0, 0); | |
| n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); | |
| if (n > 0) { | |
| ZSTR_VAL(buffer)[n] = '\0'; | |
| @@ -2728,7 +2728,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ | |
| RETURN_FALSE; | |
| } | |
| - buffer = zend_string_alloc(len, 0); | |
| + buffer = zend_string_safe_alloc(1, len, 0, 0); | |
| n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); | |
| if (n < 1) { | |
| zend_string_free(buffer); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment