summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2012-06-08 06:05:23 (GMT)
committerStanislav Malyshev <stas@php.net>2012-06-08 06:09:18 (GMT)
commit10e8da1738dc5331c595524837e69fd17ad9236a (patch)
tree32e280beb3fe161b242ade95a8e52b7ce6568509
parentd24d5b62c1d55af4059c9a220c25cc080895b20c (diff)
downloadphp-10e8da1738dc5331c595524837e69fd17ad9236a.tar.gz
fix potential overflow in _php_stream_scandir
-rwxr-xr-xmain/streams/streams.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/main/streams/streams.c b/main/streams/streams.c
index db6e25f..bf1143c 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2332,8 +2332,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
php_stream *stream;
php_stream_dirent sdp;
char **vector = NULL;
- int vector_size = 0;
- int nfiles = 0;
+ unsigned int vector_size = 0;
+ unsigned int nfiles = 0;
if (!namelist) {
return FAILURE;
@@ -2351,12 +2351,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
} else {
vector_size *= 2;
}
- vector = (char **) erealloc(vector, vector_size * sizeof(char *));
+ vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0);
}
vector[nfiles] = estrdup(sdp.d_name);
nfiles++;
+ if(vector_size < 10 || nfiles == 0) {
+ /* overflow */
+ efree(vector);
+ return FAILURE;
+ }
}
php_stream_closedir(stream);