summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2012-06-08 06:05:23 (GMT)
committerStanislav Malyshev <stas@php.net>2012-06-08 06:08:35 (GMT)
commit7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1 (patch)
treefc5036234c63c2412843a399cf354732fdbbfed5
parentbaacc2cb135280f18f6c908b4b99160fba262c6a (diff)
downloadphp-7d04e0fb2ec8be9b1c4b16a9f0b4958f853597f1.tar.gz
fix potential overflow in _php_stream_scandir
-rw-r--r--NEWS2
-rwxr-xr-xmain/streams/streams.c11
2 files changed, 10 insertions, 3 deletions
diff --git a/NEWS b/NEWS
index 9d70ebd..380979b 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,8 @@ PHP NEWS
- Core:
. Fixed CVE-2012-2143. (Solar Designer)
+ . Fixed potential overflow in _php_stream_scandir. (Jason Powell,
+ Stas)
- Fileinfo:
. Fixed magic file regex support. (Felipe)
diff --git a/main/streams/streams.c b/main/streams/streams.c
index fe7800b..43cb010 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2262,8 +2262,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
php_stream *stream;
php_stream_dirent sdp;
char **vector = NULL;
- int vector_size = 0;
- int nfiles = 0;
+ unsigned int vector_size = 0;
+ unsigned int nfiles = 0;
if (!namelist) {
return FAILURE;
@@ -2281,12 +2281,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
} else {
vector_size *= 2;
}
- vector = (char **) erealloc(vector, vector_size * sizeof(char *));
+ vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0);
}
vector[nfiles] = estrdup(sdp.d_name);
nfiles++;
+ if(vector_size < 10 || nfiles == 0) {
+ /* overflow */
+ efree(vector);
+ return FAILURE;
+ }
}
php_stream_closedir(stream);