fix potential overflow in _php_stream_scandir

php · Jun 8, 2012 · 7d04e0f · 7d04e0f
1 parent baacc2c
commit 7d04e0f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/NEWS b/NEWS
@@ -10,6 +10,8 @@ PHP                                                                        NEWS
 
 - Core:
   . Fixed CVE-2012-2143. (Solar Designer)
+  . Fixed potential overflow in _php_stream_scandir. (Jason Powell,
+    Stas)
 
 - Fileinfo:
   . Fixed magic file regex support. (Felipe)

diff --git a/main/streams/streams.c b/main/streams/streams.c
@@ -2262,8 +2262,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
 	php_stream *stream;
 	php_stream_dirent sdp;
 	char **vector = NULL;
-	int vector_size = 0;
-	int nfiles = 0;
+	unsigned int vector_size = 0;
+	unsigned int nfiles = 0;
 
 	if (!namelist) {
 		return FAILURE;
@@ -2281,12 +2281,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
 			} else {
 				vector_size *= 2;
 			}
-			vector = (char **) erealloc(vector, vector_size * sizeof(char *));
+			vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0);
 		}
 
 		vector[nfiles] = estrdup(sdp.d_name);
 
 		nfiles++;
+		if(vector_size < 10 || nfiles == 0) {
+			/* overflow */
+			efree(vector);
+			return FAILURE;
+		}
 	}
 	php_stream_closedir(stream);