fix potential overflow in _php_stream_scandir

author: Stanislav Malyshev <stas@php.net> 2012-06-07 23:05:23 -0700
committer: Stanislav Malyshev <stas@php.net> 2012-06-07 23:09:18 -0700
commit: 10e8da1738dc5331c595524837e69fd17ad9236a (patch)
tree: 32e280beb3fe161b242ade95a8e52b7ce6568509 /main/streams/streams.c
parent: d24d5b62c1d55af4059c9a220c25cc080895b20c (diff)
download: php-git-10e8da1738dc5331c595524837e69fd17ad9236a.tar.gz
1 files changed, 8 insertions, 3 deletions
diff --git a/main/streams/streams.c b/main/streams/streams.c
index db6e25f687..bf1143c56d 100755
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2332,8 +2332,8 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
 	php_stream *stream;
 	php_stream_dirent sdp;
 	char **vector = NULL;
-	int vector_size = 0;
-	int nfiles = 0;
+	unsigned int vector_size = 0;
+	unsigned int nfiles = 0;
 
 	if (!namelist) {
 		return FAILURE;
@@ -2351,12 +2351,17 @@ PHPAPI int _php_stream_scandir(char *dirname, char **namelist[], int flags, php_
 			} else {
 				vector_size *= 2;
 			}
-			vector = (char **) erealloc(vector, vector_size * sizeof(char *));
+			vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0);
 		}
 
 		vector[nfiles] = estrdup(sdp.d_name);
 
 		nfiles++;
+		if(vector_size < 10 || nfiles == 0) {
+			/* overflow */
+			efree(vector);
+			return FAILURE;
+		}
 	}
 	php_stream_closedir(stream);
author	Stanislav Malyshev <stas@php.net>	2012-06-07 23:05:23 -0700
committer	Stanislav Malyshev <stas@php.net>	2012-06-07 23:09:18 -0700
commit	10e8da1738dc5331c595524837e69fd17ad9236a (patch)
tree	32e280beb3fe161b242ade95a8e52b7ce6568509 /main/streams/streams.c
parent	d24d5b62c1d55af4059c9a220c25cc080895b20c (diff)
download	php-git-10e8da1738dc5331c595524837e69fd17ad9236a.tar.gz