Commit: 7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1 Author: Stanislav Malyshev <[email protected]> Thu, 7 Jun 2012 23:05:23 -0700 Parents: baacc2cb135280f18f6c908b4b99160fba262c6a Branches: PHP-5.3
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1 Log: fix potential overflow in _php_stream_scandir Changed paths: M NEWS M main/streams/streams.c Diff: diff --git a/NEWS b/NEWS index 9d70ebd..380979b 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,8 @@ PHP NEWS - Core: . Fixed CVE-2012-2143. (Solar Designer) + . Fixed potential overflow in _php_stream_scandir. (Jason Powell, + Stas) - Fileinfo: . Fixed magic file regex support. (Felipe) diff --git a/main/streams/streams.c b/main/streams/streams.c index fe7800b..43cb010 100755 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -2262,8 +2262,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_ php_stream *stream; php_stream_dirent sdp; char **vector = NULL; - int vector_size = 0; - int nfiles = 0; + unsigned int vector_size = 0; + unsigned int nfiles = 0; if (!namelist) { return FAILURE; @@ -2281,12 +2281,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_ } else { vector_size *= 2; } - vector = (char **) erealloc(vector, vector_size * sizeof(char *)); + vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0); } vector[nfiles] = estrdup(sdp.d_name); nfiles++; + if(vector_size < 10 || nfiles == 0) { + /* overflow */ + efree(vector); + return FAILURE; + } } php_stream_closedir(stream); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
