changeset:   1718:9f11d54f692e
user:        Thomas Klausner <tk@giga.or.at>
date:        Sat Mar 21 12:28:42 2015 +0100
summary:     Avoid integer overflow. Addresses CVE-2015-2331.

diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c
--- shlr/zip/zip/zip_dirent.c
+++ shlr/zip/zip/zip_dirent.c
@@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struc
 
     if (nentry == 0)
 	cd->entry = NULL;
-    else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*nentry)) == NULL) {
+    else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);
 	return NULL;