fix potential overflow in _php_stream_scandir

author Stanislav Malyshev <stas@php.net>

Fri, 8 Jun 2012 06:05:23 +0000 (23:05 -0700)

committer Stanislav Malyshev <stas@php.net>

Fri, 8 Jun 2012 06:09:18 +0000 (23:09 -0700)
author Stanislav Malyshev <stas@php.net>
Fri, 8 Jun 2012 06:05:23 +0000 (23:05 -0700)
committer Stanislav Malyshev <stas@php.net>
Fri, 8 Jun 2012 06:09:18 +0000 (23:09 -0700)
diff --git a/main/streams/streams.c b/main/streams/streams.c

index db6e25f68791dd1abf69a69d0373ebef9b481056..bf1143c56d9c00cb074bdbadd1381e3e93c43407 100755 (executable)
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2332,8 +2332,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
         php_stream *stream;
         php_stream_dirent sdp;
         char **vector = NULL;
-       int vector_size = 0;
-       int nfiles = 0;
+       unsigned int vector_size = 0;
+       unsigned int nfiles = 0;
  
         if (!namelist) {
                 return FAILURE;
@@ -2351,12 +2351,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
                         } else {
                                 vector_size *= 2;
                         }
-                       vector = (char **) erealloc(vector, vector_size * sizeof(char *));
+                       vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0);
                 }
  
                 vector[nfiles] = estrdup(sdp.d_name);
  
                 nfiles++;
+               if(vector_size < 10 || nfiles == 0) {
+                       /* overflow */
+                       efree(vector);
+                       return FAILURE;
+               }
         }
         php_stream_closedir(stream);
author	Stanislav Malyshev <stas@php.net>
	Fri, 8 Jun 2012 06:05:23 +0000 (23:05 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Fri, 8 Jun 2012 06:09:18 +0000 (23:09 -0700)