Commit:    7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1
Author:    Stanislav Malyshev <s...@php.net>         Thu, 7 Jun 2012 23:05:23 
-0700
Parents:   baacc2cb135280f18f6c908b4b99160fba262c6a
Branches:  PHP-5.3

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1

Log:
fix potential overflow in _php_stream_scandir

Changed paths:
  M  NEWS
  M  main/streams/streams.c


Diff:
diff --git a/NEWS b/NEWS
index 9d70ebd..380979b 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,8 @@ PHP                                                           
             NEWS
 
 - Core:
   . Fixed CVE-2012-2143. (Solar Designer)
+  . Fixed potential overflow in _php_stream_scandir. (Jason Powell,
+    Stas)
 
 - Fileinfo:
   . Fixed magic file regex support. (Felipe)
diff --git a/main/streams/streams.c b/main/streams/streams.c
index fe7800b..43cb010 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2262,8 +2262,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char 
**namelist[], int flags, php_
        php_stream *stream;
        php_stream_dirent sdp;
        char **vector = NULL;
-       int vector_size = 0;
-       int nfiles = 0;
+       unsigned int vector_size = 0;
+       unsigned int nfiles = 0;
 
        if (!namelist) {
                return FAILURE;
@@ -2281,12 +2281,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char 
**namelist[], int flags, php_
                        } else {
                                vector_size *= 2;
                        }
-                       vector = (char **) erealloc(vector, vector_size * 
sizeof(char *));
+                       vector = (char **) safe_erealloc(vector, vector_size, 
sizeof(char *), 0);
                }
 
                vector[nfiles] = estrdup(sdp.d_name);
 
                nfiles++;
+               if(vector_size < 10 || nfiles == 0) {
+                       /* overflow */
+                       efree(vector);
+                       return FAILURE;
+               }
        }
        php_stream_closedir(stream);


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to