From 4a8d8b4154334b1714e19b82b061201d41dc87d6 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 17 Mar 2015 21:59:56 -0700
Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past
 heap boundary

---
 ext/zip/lib/zip_dirent.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
index b9dac5c..0090801 100644
--- a/ext/zip/lib/zip_dirent.c
+++ b/ext/zip/lib/zip_dirent.c
@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
 	return NULL;
     }
 
-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
+    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
 	== NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);
-- 
2.1.4