Commit: 10e8da1738dc5331c595524837e69fd17ad9236a Author: Stanislav Malyshev <s...@php.net> Thu, 7 Jun 2012 23:05:23 -0700 Parents: d24d5b62c1d55af4059c9a220c25cc080895b20c Branches: PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=10e8da1738dc5331c595524837e69fd17ad9236a Log: fix potential overflow in _php_stream_scandir Changed paths: M main/streams/streams.c Diff: diff --git a/main/streams/streams.c b/main/streams/streams.c index db6e25f..bf1143c 100755 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -2332,8 +2332,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_ php_stream *stream; php_stream_dirent sdp; char **vector = NULL; - int vector_size = 0; - int nfiles = 0; + unsigned int vector_size = 0; + unsigned int nfiles = 0; if (!namelist) { return FAILURE; @@ -2351,12 +2351,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_ } else { vector_size *= 2; } - vector = (char **) erealloc(vector, vector_size * sizeof(char *)); + vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0); } vector[nfiles] = estrdup(sdp.d_name); nfiles++; + if(vector_size < 10 || nfiles == 0) { + /* overflow */ + efree(vector); + return FAILURE; + } } php_stream_closedir(stream); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php