Fix bug #71923 - integer overflow in ZipArchive::getFrom*

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index db201af6347f672ad506477ac0bc2d861da0f2f4..7c9adf4af780a04b82bdb1facf849d07a60b8576 100644 (file)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -1281,7 +1281,7 @@ static PHP_NAMED_FUNCTION(zif_zip_entry_read)
        }
 
        if (zr_rsrc->zf) {
-               buffer = zend_string_alloc(len, 0);
+               buffer = zend_string_safe_alloc(1, len, 0, 0);
                n = zip_fread(zr_rsrc->zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer));
                if (n > 0) {
                        ZSTR_VAL(buffer)[n] = '\0';
@@ -2728,7 +2728,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
                RETURN_FALSE;
        }
 
-       buffer = zend_string_alloc(len, 0);
+       buffer = zend_string_safe_alloc(1, len, 0, 0);
        n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer));
        if (n < 1) {
                zend_string_free(buffer);