1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
--- a/main/streams/streams.c
+++ b/main/streams/streams.c
@@ -2144,8 +2144,8 @@ PHPAPI int _php_stream_scandir(char *dir
php_stream *stream;
php_stream_dirent sdp;
char **vector = NULL;
- int vector_size = 0;
- int nfiles = 0;
+ unsigned int vector_size = 0;
+ unsigned int nfiles = 0;
if (!namelist) {
return FAILURE;
@@ -2161,14 +2161,24 @@ PHPAPI int _php_stream_scandir(char *dir
if (vector_size == 0) {
vector_size = 10;
} else {
+ if(vector_size*2 < vector_size) {
+ /* overflow */
+ efree(vector);
+ return FAILURE;
+ }
vector_size *= 2;
}
- vector = (char **) erealloc(vector, vector_size * sizeof(char *));
+ vector = (char **) safe_erealloc(vector, vector_size, sizeof(char *), 0);
}
vector[nfiles] = estrdup(sdp.d_name);
nfiles++;
+ if(vector_size < 10 || nfiles == 0) {
+ /* overflow */
+ efree(vector);
+ return FAILURE;
+ }
}
php_stream_closedir(stream);
|
